Zeroday in Windows 7 & Server 2008 R2

A French security researcher has accidentally discovered a zero-day vulnerability that impacts the Windows 7 and Windows Server 2008 R2 operating systems residing in the registry

HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper
HKLM\SYSTEM\CurrentControlSet\Services\Dnscache

An attacker that has a foothold on vulnerable systems can modify these registry keys to activate a sub-key usually employed by the Windows Performance Monitoring mechanism.

“Performance” subkeys are usually employed to monitor an app’s performance, and, because of their role, they also allow developers to load their own DLL files to track performance using custom tools. These DLL on recent Windows versions are restricted

Labro said he discovered the zero-day after the released an update to PrivescCheck last month, a tool to check common Windows security misconfigurations that can be abused by malware for privilege escalation. he disclosed the investigation report in his personal site

Both Windows 7 and Windows Server 2008 R2 have officially reached end of life (EOL) and Microsoft has stopped providing free security updates. Some security updates are available for Windows 7 users through the company’s ESU (Extended Support Updates) paid support program, but a patch for this issue has not been released yet.

It is unclear if Microsoft will patch Labro’s new zero-day; however, ACROS Security has already put together a micro-patch, which the company released earlier today. The micro-patch is installed via the company’s 0patch security software and prevents malicious actors from exploiting the bug through ACROS’ unofficial patch.

OOBU For Kerberos released by Microsoft

The issue is related to the PerformTicketSignature registry subkey value in CVE-2020-17049, a security feature bypass bug in Kerberos Key Distribution Center (KDC) that Microsoft fixed on last patch Tuesday

CVE-2020-17049, the tech company explains, resides in the manner in which KDC determines whether tickets are eligible for delegation via Kerberos Constrained Delegation (KCD).

“To exploit the vulnerability, a compromised service that is configured to use KCD could tamper with a service ticket that is not valid for delegation to force the KDC to accept it. The update addresses this vulnerability by changing how the KDC validates service tickets used with KCD,”

Last week, the company identified a series of issues that could occur on writable and read-only domain controllers (DC), namely tickets not being renewed for non-Windows Kerberos clients and S4UProxy delegation failing when PerformTicketSignature is set to 1 (the default), and services failing for all clients when PerformTicketSignature is set to 0.

“An out-of-band optional update is now available on the Microsoft Update Catalog to address a known issue affecting Kerberos authentication. As part of this issue, ticket renewal and other tasks, such as scheduled tasks and clustering, might fail. This issue only affects Windows Servers, and Windows 10 devices and applications in enterprise environments,”

The company recommends that only impacted organizations install the out-of-band update on their domain controllers. Microsoft warns that there are some issues that enterprises should be aware of when installing the update, related to the Microsoft Input Method Editor (IME) for Japanese or Chinese languages.

Microsoft Japan provided the steps that admins should take to address such issues, in addition to deploying the update to all of the DCs and RODCs (Read-Only Domain Controllers) in the environment.

Microsoft pressing a pause button on updates

Microsoft has told Windows 10 owners and IT admins not to expect any Windows 10 preview updates in December , after the mandate patch Tuesday updates

The company will resume monthly servicing with the January 2021 security releases, it said.

Microsoft releases optional non-security Windows 10 updates to give customers time to test the updates against systems.

It calls the first week of each month ‘A week’ and typically issues fixes for Office. The second week is ‘B week’ or Patch Tuesday. C and D weeks happen on the third and fourth weeks of the month.

The last time Microsoft paused optional non-security updates that are released after Patch Tuesday was in March.It resumed optional updates in July but maintained its Patch Tuesday schedule throughout the pandemic.

Microsoft also released a statement confirming it is starting to force Windows 10 PCs on version 1903 up to 1909.

All editions of Windows 10, version 1903 and Windows 10 Server, version 1903 will reach end of service. After that date, devices running these editions will no longer receive monthly security and quality updates.

To keep you protected and productive, we will soon begin updating devices running Windows 10, version 1903 to Windows 10, version 1909. This update will install like a monthly update, resulting in a far faster update experience.

Microsoft warns on SIM Swap… Take it serious


Microsoft on Tuesday advised internet users to embrace multi-factor authentication (MFA)… except where public switched telephone networks are involved.

Multi-factor authentication, for those who haven’t been paying attention, involves adding one or more additional access requirements to password-based authentication. So an online bank, for example, might send a text message to the mobile phone number associated with a given account to make it more likely that the person entering the account password is authorized to access the account.

The technique isn’t foolproof though it offers additional defense against attackers who gain access to, or guess through various techniques, the password for a victim’s online account. MFA can also be used in conjunction with a password manager: think of multi-factor authentication as an additional layer of protection.

Microsoft, says people should definitely use MFA. He claims that accounts using any type of MFA get compromised at a rate that’s less than 0.1 per cent of the general population.null. So users should stop relying on SMS or Voice calls for OTP which are least secure and can be breaker easily

Hacking techniques like SIM swapping – where a miscreant calls a mobile carrier posing as a customer to request the customer’s number be ported to a different SIM card in the attacker’s possesion. Easily a backdoor malware harvested to steal two factor authentication.

The Authenticator uses encrypted communication, allowing bi-directional communication on authentication status, and we’re currently working on adding even more context and control to the app to help users keep themselves safe.

Popular Mobile authenticator apps alternate to Microsoft are Twilio’s Authy, Cisco’s Duo Mobile, Google Authenticator, and password managers like 1Password and LastPass. Any of these would be an improvement over SMS and voice