A French security researcher accidentally discovered a zero day vulnerability. This affects Windows 7 and Windows Server 2008 R2 operating systems. Meanwhile, an update for a Windows security tool is in the works.
A zero day vulnerability in Windows 7 needs to be fixed
The vulnerability resides in two misconfigured registry keys for the RPC Endpoint Mapper and DNSCache services that are part of all Windows installations.
HKLM, SYSTEM, CurrentControlSet, Services, RpcEptMapper HKLM-SYSTEM-CurrentControlSet-Services-Dnscache
French security researcher Clément Labro was the one who discovered the vulnerability in Windows 7. He says that an attacker with a foothold in vulnerable systems can modify these registry keys to activate a subkey. Typically used by the Windows performance monitoring mechanism.
“Performance” subkeys are often used to monitor the performance of an application. And because of their role, they also allow developers to load their own DLL files. In order to monitor performance using custom tools.
In recent versions of Windows, these DLLs are often restricted and loaded with limited privileges. Labro said that in Windows 7 and Windows Server 2008 it is still possible to load custom DLLs. These were run with system level privileges.
A problem accidentally discovered and disclosed
Labro said it discovered the vulnerability in Windows 7 when it released an update to PrivescCheck. A tool to check for common Windows security configuration errors that can be abused by elevated malware.
The update, released last month, added support for a new set of checks for privilege escalation techniques.
Labro said he didn’t know the new tickets highlighted a new, uncorrected privilege escalation method until he began investigating a series of alerts that appear on older systems like Windows 7, a few days after launch.
At that point, it was too late for the researcher to report the issue to Microsoft privately, and the researcher opted to blog about the new method.
Windows 7 and Windows Server 2008 R2 have officially reached the end of their useful life (EOL) and Microsoft has stopped providing free security updates. Some security updates are available to Windows 7 users through the company’s Extended Support Updates (ESU) paid support program, but a fix for this issue has not yet been released.
It’s unclear if Microsoft will update Labro’s new Zero Day; however, ACROS Security has already created a micro-patch, which the company released today. The micro-patch is installed through the company’s 0patch security software and prevents malicious actors from exploiting the bug through the unofficial ACROS patch.