Security risks: when Low IL process is allowed to launch elevated services?

Are there security risks, when a low integrity process is allowed to l开发者_运维问答aunch a medium/high integrity process via COM ?

Well, according to this documentation

CoCreateInstance and Integrity Levels

The behavior of CoCreateInstance has changed in Windows Vista, to prevent Low IL clients from binding to COM servers by default. The server must explicitly allow such bindings by specifying the SACL. The changes to CoCreateInstance are as follows:

1. When launching a COM server process, the IL in the server process token is set to the client or server token IL, whichever is lower.
2. By default, COM will prevent Low IL clients from binding to running instances of any COM servers. To allow the bind, a COM server's Launch/Activation security descriptor must contain a SACL that specifies the Low IL label (see the previous section for the sample code to create such a security descriptor).

So when launching a new instance of a COM server, it will also run with low integrity. It is possible to attach to an existing high integrity service, though this has to be explicitly enabled in the SACL. I guess it is a potential security risk, since if there is a buffer overflow (for example) in the COM server the exploit code would end up running with high integrity. This is why Microsoft makes you explicitly enable this feature, and most likely it is only there to help with backward compatibility.