Eitan Caspi wrote Saturday, June 23, 2007 4:45 PM > Summary: While a user, at any security membership level, is logged > in locally, using the "run as" feature, it can kill all of the > processes running under the user who initiated the "run as" > feature, even if the > initiating user has a security membership level higher than the > user initiating the killing action under "run as". The kill is > performed using the taskkill.exe application which is built into > Windows XP. It's true Microsoft does not display a unified front on such security issues, and they sometimes have conflicting advice on their site. But Runas is more useful for escalating privilege than for downgrading it. Anything running on your interactive desktop can interact with anything else running on it, regardless of the security context that started each app. So privilege-lowering conveniences like Runas or even desktop VMs are absolutely subject to the possibility of cross-context interaction. There are security context checks built into many functions, and you did find one that does not have things as locked down as they should be, but these locks and checks are vector-specific and do not address the basic exploit potential directly. I don't see a lot of exploits of this potential, but it is designed into Windows and needs to be there for you to be able to interact with the apps yourself. So running an interactive sandbox on a trusted system will inherently increase your risks. See KB327618 for more info. - Jim
