ISS would like to have you believe otherwise... when I contacted them
about the Local SYSTEM escalation in BlackICE we went in circles over
the fact that I feel that taking local SYSTEM on a win32 box IS a
problem and they don't. They tryed to say some crap like "in all our
years in the industry we have never had a customer state that local
windows security was a concern... blah blah (paraphrasing)". And
something along the lines of "Windows is not a true multi-user system
(like unix) so local escalation means nothing."
> Also, at least in MS Windows, it's my personal feeling that local
privilege escalation issues (particularly escalation to kernel or system
status) should be critical issues. Whether people can run arbitrary
code on MS Windows systems these days isn't an exercise for the mind
anymore, it's an exercise of "go look at your neighbors computer and see
that it's done regularly".
Full-Disclosure - We believe in it.