Security researchers discovered Windows 7/Windows Server 2008 zero-day vulnerability

A few days ago, French security researchers accidentally discovered vulnerabilities in Windows 7 and Windows Server 2008, which have been discontinued.

The attacker only needs to use very easy steps to elevate the privileges of the specially crafted .DLL file, and here is not the administrator privilege but the system level privilege.

At first, the researcher was not prepared to look for this vulnerability, but when testing the security update, he discovered that the registry entries configured by Microsoft by default had security flaws.

Theoretically speaking, an attacker only needs to modify and increase the registry key to trigger the vulnerability. After being upgraded to the system level, the attacker can do whatever he wants.

First of all, this security vulnerability is located in the RPC endpoint mapper and DNS cache. Strictly speaking, the vulnerability is located in the registry of these functions and there is a misconfiguration.

HKLM\SYSTEM\CurrentControlSet\Services\Dnscache
HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper

What the attacker has to do is to make a specific DLL file in advance and then modify the registry. Modifying the registry can trick the RPC endpoint mapper and DNS cache.

For example, a local non-administrator only needs to create a Performance subkey and fill in the content in the above registry path, and then trigger performance monitoring to trigger the vulnerability.

Because Microsoft’s wrong configuration will cause WmiPrvSe.exe to automatically load the DLL file controlled by the attacker when the performance monitoring is triggered, which will cause greater problems.

For now, the vulnerability only affects Windows 7 and Windows Server 2008 (R2) versions, and other versions of Windows are not affected by the vulnerability.

In view of the fact that Windows 7 and Windows Server 2008 have reached end-of-life and no longer receive support, even if researchers report the vulnerability to Microsoft, Microsoft will not be able to fix it.

Because after the support is stopped, Microsoft will no longer provide security updates to ordinary users and enterprises, unless the enterprise pays a higher fee to Microsoft for extended support.

If home users or business users still use these old operating systems and do not purchase additional extended support, they should consider upgrading to a new supported version.

Of course, if the enterprise environment is based on security considerations, it is recommended that the enterprise isolate these old system machines from the network to prevent attackers from launching attacks through the network means.

Microsoft has not yet issued a response to this vulnerability, but now that the researchers have notified it, Microsoft estimates that it is preparing a fix for the extended support enterprises.