A free and temporary fix for a newly discovered zero-day in Windows 7 and Server 2008 R2 has been released by 0patch to prevent a local privilege escalation vulnerability from being actively exploited in the wild.
The bug affects all devices running Windows 7 and Server 2008 R2 regardless of whether or not these devices have been enrolled in Microsoft's Extended Security Updates (ESU) program which costs between $25 and $200 per workstation.
The free micropatch released by 0patch will prevent the local privilege escalation vulnerability from being exploited by cybercriminals for systems without ESU and it will serve as a temporary fix for systems that are enrolled in the program until Microsoft releases a more permanent solution to the problem.
- We've put together a list of the best malware removal software
- Keep your devices virus free with the best antivirus software
- Tired of Windows? Check out the best alternative operating systems
0patch provided more details on its new micropatch in a blog post, saying:
“According to our guidelines, this micropatch is free for everyone until Microsoft issues an official fix for it (presumably only as part of Extended Security Updates). By the time you're reading this the micropatch has already been distributed to all online 0patch Agents and also automatically applied except where Enterprise policies prevented that.”
If you're not yet an 0patch user and wish to install the micropatch on your systems, you can create an account in 0patch Central, install 0patch Agent and register it to your account.
Misconfigured registry keys
The local privilege escalation vulnerability is the result of two service registry keys being misconfigured and the bug could enable a local attacker to elevate their privileges on any system running Windows 7 and Server 2008 R2.
The zero-day was discovered by security researcher Clément Labro who recently published his analysis as well as a proof-of-concept that enabled 0patch to create its new micropatch for Windows users.
Insecure permissions on the HKLM\SYSTEM\CurrentControlSet\Services\Dnscache and HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper registry keys makes it possible for an attacker to load malicious DLLs by tricking the RPC Endpoint Mapper.
Labro explained that he was surprised that the vulnerability he discovered wasn't found sooner in his report detailing the zero-day, saying:
“I don’t know how this vulnerability has gone unnoticed for so long. One explanation is that other tools probably looked for full write access in the registry, whereas AppendData/AddSubdirectory was actually enough in this case. Regarding the “misconfiguration” itself, I would assume that the registry key was set this way for a specific purpose, although I can’t think of a concrete scenario in which users would have any kind of permissions to modify a service’s configuration.”
If you're running Windows 7 or Server 2008 R2 on your systems you should install 0patch's micropatch now regardless of whether you're enrolled in Microsoft's ESU program.
- We've also highlighted the best endpoint protection