A French security researcher has accidentally discovered a zero-day vulnerability that impacts the Windows 7 and Windows Server 2008 R2 operating systems residing in the registry

HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper
HKLM\SYSTEM\CurrentControlSet\Services\Dnscache

An attacker that has a foothold on vulnerable systems can modify these registry keys to activate a sub-key usually employed by the Windows Performance Monitoring mechanism.

“Performance” subkeys are usually employed to monitor an app’s performance, and, because of their role, they also allow developers to load their own DLL files to track performance using custom tools. These DLL on recent Windows versions are restricted

Labro said he discovered the zero-day after the released an update to PrivescCheck last month, a tool to check common Windows security misconfigurations that can be abused by malware for privilege escalation. he disclosed the investigation report in his personal site

Both Windows 7 and Windows Server 2008 R2 have officially reached end of life (EOL) and Microsoft has stopped providing free security updates. Some security updates are available for Windows 7 users through the company’s ESU (Extended Support Updates) paid support program, but a patch for this issue has not been released yet.

It is unclear if Microsoft will patch Labro’s new zero-day; however, ACROS Security has already put together a micro-patch, which the company released earlier today. The micro-patch is installed via the company’s 0patch security software and prevents malicious actors from exploiting the bug through ACROS’ unofficial patch.