This vulnerability was discovered by Lucas Leong of the Trend Micro Security Research team and could allow attackers to perform remote code execution on a vulnerable machine. To initiate this attack, a specially crafted Jet database file would need to be opened, which would then perform an out-of-bounds write to the program's memory buffer. This would then lead to remote code execution on the targeted Windows computer.
Micro Patch for Windows 0-Day file write vulnerability
The specific flaw exists within the management of indexes in the Jet database engine. Crafted data in a database file can trigger a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code under the context of the current process."
After publishing the article, we were notified that 0Patch have released 3rd party micropatches that resolve this vulnerability. They have also confirmed that this vulnerability affects Windows 10, Windows 8.1, Windows 7, and Windows Server 2008-2016.
"If a vendor response is received within the timeframe outlined above, ZDI will allow the vendor 4-months (120 days) to address the vulnerability with a security patch or other corrective measure as appropriate," is stated in the ZDI disclosure policy. "At the end of the deadline, if a vendor is not responsive or unable to provide a reasonable statement as to why the vulnerability is not fixed, the ZDI will publish a limited advisory including mitigation in an effort to enable the defensive community to protect the user. We believe that by taking these actions, the vendor will understand the responsibility they have to their customers and will react appropriately. Extensions to the 120-day disclosure timeline will not be granted. "
[German]A new bug in Windows has been known for a few days that prevents the "Mark of the Web" flag from being evaluated for broken signatures. Microsoft itself has not yet released a patch for this 0-day vulnerability. The vulnerability is already being exploited. Therefore, ACROS Security has addressed the problem and developed a 0Patch micropatch to close it. The patch is freely available, only the 0patch agent is needed.
I reported about the issue 2 days ago in the blog post Windows 0-day (Mark of the Web) used for ransomware attacks via JavaScript. There is no patch for this vulnerability from Microsoft yet. Mitja Kolsek, the founder of ACROS Security informed me about this micropatch in a personal message a few hours ago, but also made the whole thing public in the following tweet as well as the details in this blog post.
Microsoft itself has not yet released a patch for this 0-day vulnerability. The vulnerability is already being exploited. This is now the second unpatched vulnerability in this area (see Windows: 0Patch Micropatch for MOTOW ZIP file bug (0-day, no CVE)).
ACROS Security has analyzed the vulnerability and released micropatches for it. These are available for free via the 0patch agent until Microsoft has released the official fix. Details on how it works can be read in this blog post. Notes on how the 0patch agent works, which loads the micropatches into memory at an application's runtime, can be found in blog posts (such as here).
Similar articles:0patch: Fix for Internet Explorer 0-day vulnerability CVE-2020-06740patch: Fix for Windows Installer flaw CVE-2020-06830patch fix for Windows GDI+ vulnerability CVE-2020-08810-day vulnerability in Windows Adobe Type Library0patch fixes CVE-2020-0687 in Windows 7/Server 2008 R20patch fixes CVE-2020-1048 in Windows 7/Server 2008 R20patch fixes CVE-2020-1015 in Windows 7/Server 2008 R20patch for 0-day RCE vulnerability in Zoom for WindowsWindows Server 2008 R2: 0patch fixes SIGRed vulnerability0patch fixes CVE-2020-1113 in Windows 7/Server 2008 R20patch fixes CVE-2020-1337 in Windows 7/Server 2008 R20patch fixes CVE-2020-1530 in Windows 7/Server 2008 R20patch fixes Zerologon (CVE-2020-1472) vulnerability in Windows Server 2008 R20patch fixes CVE-2020-1062 in Windows 7/Server 2008 R20patch fixes CVE-2020-1300 in Windows 7/Server 2008 R20patch fixes 0-day vulnerability in Windows 7/Server 2008 R20patch fixes CVE-2020-1013 in Windows 7/Server 2008 R20patch fixes a Local Privilege Escalation 0-day in Sysinternals PsExec0patch fixes Windows Installer 0-day Local Privilege Escalation vulnerability0patch fixes 0-day in Internet Explorer0patch fixes CVE-2021-26877 in the DNS server of Windows Server 2008 R20patch fixes Windows Installer LPE-Bug (CVE-2021-26415)0Patch provides support for Windows 10 version 1809 after EOLWindows 10 V180x: 0Patch fixes IE vulnerability CVE-2021-319590Patch Micropatches for PrintNightmare Vulnerability (CVE-2021-34527)0patch fix for new Windows PrintNightmare 0-day vulnerability (Aug. 5, 2021)0patch fix for Windows PetitPotam 0-day vulnerability (Aug. 6, 2021)2nd 0patch fix for Windows PetitPotam 0-day vulnerability (Aug. 19, 2021)Windows 10: 0patch fix for MSHTML vulnerability (CVE-2021-40444)0patch fixes LPE Vulnerability (CVE-2021-34484) in Windows User Profile Service0patch fixes LPE vulnerability (CVE-2021-24084) in Mobile Device Management Service0patch fixes InstallerTakeOver LPE 0-day vulnerability in Windows0patch fixes ms-officecmd RCE vulnerability in Windows0patch fixes RemotePotato0 vulnerability in Windows0patch fixes again vulnerability CVE-2021-34484 in Windows 10/Server 20190Patch fixes vulnerabilities (CVE-2022-26809 and CVE-2022-22019) in WindowsWindows MSDT 0-day vulnerability "DogWalk" receives 0patch fix0patch fixes all known and exploitable Windows NTLM/Kerberos vulnerabilities0patch fixes Memory Corruption vulnerability (CVE-2022-35742) in Microsoft Outlook 2010Windows 7/Server 2008 R2 receive 0patch micropatches in 2023 and 2024Windows: 0Patch Micropatch for MOTOW ZIP file bug (0-day, no CVE)
[1] - -104 -105[2] - -insight/post/massive-adgholas-malvertising-campaigns-use-steganography-and-file-whitelisting-to-hide-in-plain-sight - 2016-07-28[3] - -insight/post/The-Shadow-Knows - 2015-12-15[4] - -security-intelligence/microsoft-patches-ieedge-zeroday-used-in-adgholas-malvertising-campaign/
The National Vulnerability Database presented 22,000 new vulnerabilities recently in 2021. The primary issue is the time the organization needs (almost 60.3 days) to resolve a single vulnerability. This means the attackers get 60 days to exploit the vulnerability before it gets fixed. Therefore, it is essential to micropatch the vulnerability as soon as it is detected. Micropatching is the practical solution so far! But what are micropatches?
The use of a piece of code to fix an individual vulnerability without requiring reboot, downtime, or outages for a system is known as Micropatching. Micro patch/code is small and has the data about the vulnerable app, the patch injecting location, the patch, and the patch code itself. These micropatches are generally available from a third-party provider.
The reason that it is a small patch that only fixes the selected individual security vulnerability is why it is called micropatch. Because these patches are not available with the original software vendor but the third-party providers and are crafted in a difficult manner, the focus is mostly on fixing the critical vulnerabilities.
These issues are solved with micro patching. It fixes the vulnerability as soon as it is detected, and third-party vendors always have the micropatches ready to enhance the security of processes and products.
Patching and micropatching are similar in that both are the processes to repair a flaw or vulnerability identified after a software/product release. Newly released patches and micro patches fix a security flaw, bug, or vulnerability and improve the applications with new features. However, the difference lies in how they work to fix the vulnerability.
Though micro patching is specific to individual vulnerabilities and can fix them quickly, some logic flaws are still difficult to fix. The flaws in the scripted code within the design of a vulnerability or an application like Python and PHP remain vulnerable. This is because the code is only interpreted at runtime.
The best thing about the 0patch micropatching solution is that the executable files are not replaced or modified but are corrected in memory only. So, no relaunching is required while 0patch is applying micropatches to the processes.
A zero-day (or 0-day) attack is a software vulnerability exploited by attackers before the vendor has become aware of it. At that point, no patch exists, so attackers can easily exploit the vulnerability knowing that no defenses are in place. This makes zero-day vulnerabilities a severe security threat.
In 2011, attackers used an unpatched vulnerability in Adobe Flash Player to gain entry into the network of security vendor RSA. The attackers distributed emails via Excel spreadsheet attachments to RSA employees; the attachments activated a Flash file, which exploited the zero-day Flash vulnerability. The data stolen included key information used by RSA customers in SecurID security tokens.
Recently, a Microsoft Support Diagnostic Tool (MSDT) zero-day vulnerability dubbed "Follina" came to the surface when security researchers found it and the word got around thanks to the media. Microsoft apparently ignored the vulnerability as a non-security issue initially (via @CrazymanArmy on Twitter), though later, the company acknowledged the remote code execution (RCE) vulnerability and assigned the tracking ID CVE-2022-30190 to it. While there was no official patch provided by Microsoft except for steps to disable the MSDT, a micropatch was released by the 0patch team that you can download from the link on its official blog post here.
The vulnerability exists due to ALPC access control flaw. A local attacker can create a hard link from a readable file on the system to a '.job' file in the 'c:\windows\tasks' directory, invoke the _SchRpcSetSecurity() method of the task scheduler service ALPC endpoint to overwrite the linked file and gain system level privileges on the target system. The vulnerability was dubbed "SendboxEscaper". 2ff7e9595c
Comments