0Patch releases updates for Windows 7/Server 2008 to fix privilege escalation vulnerabilities

Last week we mentioned that the researcher found that Windows 7 and Windows Server 2008 (R2) performance monitoring registry has security configuration errors.

This configuration error can be used to escalate the privileges of local accounts and bring potential security threats. However, the above-mentioned operating systems are currently out of support, so there is no security update.

Although Microsoft will make security updates in the future, they are only available to customers who have paid for the extended support, so ordinary users cannot get official Microsoft support.

The third-party security platform 0Patch has launched a free update. The platform aims to provide various unofficial fixes for Windows to improve security.

First of all, this security vulnerability is located in the RPC endpoint mapper and DNS cache. Strictly speaking, the vulnerability is located in the registry of these functions and there is a misconfiguration.

What the attacker has to do is to make a specific DLL file in advance and then modify the registry. Modifying the registry can trick the RPC endpoint mapper and DNS cache.

HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper
HKLM\SYSTEM\CurrentControlSet\Services\Dnscache

For example, a local non-administrator only needs to create a Performance subkey and fill in the content in the above registry path, and then trigger performance monitoring to trigger the vulnerability.

Because Microsoft’s wrong configuration will cause WmiPrvSe.exe to automatically load the DLL file controlled by the attacker when the performance monitoring is triggered, which will cause greater problems.

For now, the vulnerability only affects Windows 7 and Windows Server 2008 (R2) versions, and other versions of Windows are not affected by the vulnerability.

The 0Patch client has provided fixes for the above vulnerabilities. Users only need to download and install the latest version to fix the vulnerabilities.

Fixing vulnerabilities through this platform will temporarily disable DNSCLIENT/RPCEPTMAPPER performance monitoring operations, that is, this performance monitoring is temporarily unavailable.

The 0Patch team stated that users can perform repairs according to their own needs, and the tool can be used to perform repairs without restarting the system and can be quickly turned on or off.