Zeroday in Windows 7 & Server 2008 R2

A French security researcher has accidentally discovered a zero-day vulnerability that impacts the Windows 7 and Windows Server 2008 R2 operating systems residing in the registry

HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper
HKLM\SYSTEM\CurrentControlSet\Services\Dnscache

An attacker that has a foothold on vulnerable systems can modify these registry keys to activate a sub-key usually employed by the Windows Performance Monitoring mechanism.

“Performance” subkeys are usually employed to monitor an app’s performance, and, because of their role, they also allow developers to load their own DLL files to track performance using custom tools. These DLL on recent Windows versions are restricted

Labro said he discovered the zero-day after the released an update to PrivescCheck last month, a tool to check common Windows security misconfigurations that can be abused by malware for privilege escalation. he disclosed the investigation report in his personal site

Both Windows 7 and Windows Server 2008 R2 have officially reached end of life (EOL) and Microsoft has stopped providing free security updates. Some security updates are available for Windows 7 users through the company’s ESU (Extended Support Updates) paid support program, but a patch for this issue has not been released yet.

It is unclear if Microsoft will patch Labro’s new zero-day; however, ACROS Security has already put together a micro-patch, which the company released earlier today. The micro-patch is installed via the company’s 0patch security software and prevents malicious actors from exploiting the bug through ACROS’ unofficial patch.

Patch Tuesday November 2020

  • Microsoft has plugged 112 security holes, including an actively exploited one
  • Adobe has delivered security updates for Adobe Reader Mobile and Adobe Connect
  • Intel has dropped a huge stack of security advisories and patches
  • SAP has released 12 security notes and updated three previously released ones
  • Mozilla has fixed a critical vulnerability affecting Firefox, Firefox ESR, and Thunderbird

Microsoft covers 112 CVEs this November affecting products ranging from our standard Windows Operating Systems and Microsoft Office products to some new entries such as Azure Sphere.

Microsoft CVE-2020-17087: Windows Kernel Local Elevation of Privilege Vulnerability

Coming as no surprise to anyone, the previously disclosed CVE-2020-17087 zero-day affecting all supported versions of Windows has a patch this month. It is with this same patch that over half of the additional vulnerabilities detailed this month can be remediated, so definitely have your patching cycles ready. CVE-2020-17087 is a buffer overflow vulnerability behind the Windows Kernel Cryptography Driver that gave local attackers the ability to escalate privileges. “exploitability is at least somewhat more limited than it might appear at first glance.” This does not diminish the need to prioritize Operating System patching because of the next vulnerability up for discussion: CVE-2020-17051.

Microsoft CVE-2020-17051: Windows Network File System Remote Code Execution

CVE-2020-17051 is this month’s highest severity vulnerability sitting at CVSS 9.8. Microsoft describes CVE-2020-17051 as a Remote Code Execution vulnerability affecting Windows Network File System. At the time of writing, information regarding this vulnerability is light but Microsoft has noted that it has low attack complexity and does not require user interaction to exploit. This is aptly represented by the high CVSS score. At this point, this vulnerability is not known to be exploited in the wild.

Browser Vulnerabilities Come Back After An October Break
While it feels like it’s been a while, browser vulnerabilities are still a thing, and this month brought along five vulnerabilities affecting Internet Explorer and Edge browsers (EdgeHTML-based). CVE-2020-17048, CVE-2020-17052, CVE-2020-17053, CVE-2020-17054, and CVE-2020-17058 are all Remote Code Execution vulnerabilities potentially affecting Internet Explorer and/or Microsoft Edge (again, non-Chromium).

As a gentle reminder, Security-Only patches for operating systems that provide a Monthly Rollup or Security-Only update streams do not include browser remediations. Organizations opting for Security-Only patches should be aware that there are separate Cumulative Security Updates for Internet Explorer.

O365 Outage and it’s global

Microsoft 365 was down Monday evening, affecting users’ new access request to multiple services including Outlook, Word, Excel and Microsoft Teams.

“We’re investigating an issue affecting access to multiple Microsoft 365 services,” the Microsoft 365 Status account tweeted Monday at 5:44 p.m. ET. “We’re working to identify the full impact and will provide more information shortly.”

“Users may be unable to access multiple Microsoft 365 services,” the software giant posted on its Office status website.

The company determined that a specific portion of its infrastructure was not processing authentication requests in a timely manner. “We’re pursuing mitigation steps for this issue,” the status update said.

Microsoft Office program users who were already logged in would be able to continue their sessions, the company confirmed.

Microsoft Office outage reports began coming in at 5 p.m. ET Monday at online traffic site DownDetector. Some users began reporting a return of service about 8:30 p.m. ET on the site.

The outage stopped work for some, but created more work for some: IT specialists. “The #Office365 outage is generating tickets like crazy,” tweeted one. “I have just told 5 people in a row: ‘No I cannot fix it. Microsoft is working on it.”

But others on Twitter had fun at Microsoft’s expense. “There’s a global 365 outage affecting microsoft outlook, i guess we won Monday after all.”

Another Twitter user posted an a global outage map, noting “The Microsoft 365 Azure Outage isn’t that bad, it’s only down in places with people that are awake.”

Azure victim of Gadolinium – APT 40

Security researchers at Microsoft say they upended a hacking campaign that used the company’s own Azure commercial cloud service as part of the command-and-control network for its malware.

The hacking group — labeled Gadolinium by Microsoft and also known as APT40 — was hosting apps on the Azure Active Directory and using open source tools “to enhance weaponization of their malware payload, attempt to gain command and control all the way to the server, and to obfuscate detection,” .

APT40 has been linked to China’s government, and recent targets have reportedly included organizations in Taiwan and Malaysia. The typical goal is data exfiltration for espionage,Microsoft’s report does not mention China by name, but notes that the hacking group has previously focused on the maritime and health industries.

Beijing has denied in the past that it conducts such cyberattacks.

Microsoft said it suspended 18 of the Azure applications in April and has been continuing to the track the group’s evolution.

“Because cloud services frequently offer a free trial or one-time payment (PayGo) account offerings, malicious actors have found ways to take advantage of these legitimate business offerings,”. “By establishing free or PayGo accounts, they can use cloud-based technology to create a malicious infrastructure that can be established quickly then taken down before detection or given up at little cost.”

The use of open-source malware code also marks an evolution in the hacking group’s tactics, Microsoft said. For years, Gadolinium, also known as Leviathan, has leaned on “custom-crafted malware families that analysts can identify and defend against,” the researchers said. The open-source toolkits are a crafty way for the group “to obfuscate their activity and make it more difficult for analysts to track.”

As is common with attempted attacks on large organizations, the hackers looked to infiltrate via email: “These attacks were delivered via spear-phishing emails with malicious attachments,” the researchers said.

The report does not specify who the targets were, where they were based or how much data the attackers might have pilfered.

In addition to APT40’s known interest in specific industries and Pacific Rim targets, Microsoft said the hacking group’s “newly expanded targeting” appears to include “higher education and regional government organizations.”