CVE-2010-3961

Name of the Vulnerable Software and Affected Versions Microsoft Windows Vista versions SP1 through SP2 Microsoft Windows Server 2008 versions Gold through SP2 and R2 Microsoft Windows 7 (affected versions not specified)

Description The issue arises from the Consent User Interface (UI) not properly handling an unspecified registry-key value. This allows local users with SeImpersonatePrivilege rights to gain privileges via a crafted application. The vulnerability could allow an attacker to run code with elevated privileges, potentially executing arbitrary code and taking complete control of an affected system. This could enable the attacker to install programs, view, change, or delete data, or create new accounts with full user rights.

Recommendations For Microsoft Windows Vista versions SP1 through SP2, update to a version that properly handles registry-key values to prevent elevation of privilege. For Microsoft Windows Server 2008 versions Gold through SP2 and R2, apply a configuration change to restrict the Consent UI's ability to process special registry values. For Microsoft Windows 7, at the moment, there is no information about a newer version that contains a fix for this vulnerability.