A free and temporary fix for a newly discovered zero-day in Windows 7 (opens in new tab) and Server 2008 R2 has been released by 0patch to prevent a local privilege escalation vulnerability from being actively exploited in the wild.
The bug affects all devices running Windows 7 and Server 2008 R2 regardless of whether or not these devices have been enrolled in Microsoft's Extended Security Updates (opens in new tab) (ESU) program which costs between $25 and $200 per workstation. (opens in new tab)
The free micropatch released by 0patch (opens in new tab) will prevent the local privilege escalation vulnerability from being exploited by cybercriminals for systems without ESU and it will serve as a temporary fix for systems that are enrolled in the program until Microsoft releases a more permanent solution to the problem.
- We've put together a list of the best malware removal (opens in new tab) software
- Keep your devices virus free with the best antivirus (opens in new tab) software
- Tired of Windows? Check out the best alternative operating systems (opens in new tab)
0patch provided more details on its new micropatch in a blog post (opens in new tab), saying:
“According to our guidelines, this micropatch is free for everyone until Microsoft issues an official fix for it (presumably only as part of Extended Security Updates). By the time you're reading this the micropatch has already been distributed to all online 0patch Agents and also automatically applied except where Enterprise policies prevented that.”
If you're not yet an 0patch user and wish to install the micropatch on your systems, you can create an account in 0patch Central (opens in new tab), install 0patch Agent and register it to your account.
Misconfigured registry keys
The local privilege escalation vulnerability is the result of two service registry keys being misconfigured and the bug could enable a local attacker to elevate their privileges on any system running Windows 7 and Server 2008 R2.
The zero-day was discovered by security researcher Clément Labro who recently published his analysis as well as a proof-of-concept that enabled 0patch to create its new micropatch for Windows users.
Insecure permissions on the HKLM\SYSTEM\CurrentControlSet\Services\Dnscache and HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper registry keys makes it possible for an attacker to load malicious DLLs by tricking the RPC Endpoint Mapper.
Labro explained that he was surprised that the vulnerability he discovered wasn't found sooner in his report (opens in new tab) detailing the zero-day, saying:
“I don’t know how this vulnerability has gone unnoticed for so long. One explanation is that other tools probably looked for full write access in the registry, whereas AppendData/AddSubdirectory was actually enough in this case. Regarding the “misconfiguration” itself, I would assume that the registry key was set this way for a specific purpose, although I can’t think of a concrete scenario in which users would have any kind of permissions to modify a service’s configuration.”
If you're running Windows 7 or Server 2008 R2 on your systems you should install 0patch's micropatch now regardless of whether you're enrolled in Microsoft's ESU program.
- We've also highlighted the best endpoint protection (opens in new tab)
Via Bleeping Computer (opens in new tab)