Security researcher accidentally discovers Windows 7 and Windows Server 2008 zero-day

The vulnerability was discovered while the security researcher was working on a Windows security tool.
Written by Catalin Cimpanu, Contributor
Windows 7
Image: Microsoft

A French security researcher has accidentally discovered a zero-day vulnerability that impacts the Windows 7 and Windows Server 2008 R2 operating systems while working on an update to a Windows security tool.

The vulnerability resides in two misconfigured registry keys for the RPC Endpoint Mapper and DNSCache services that are part of all Windows installations.

  • HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper
  • HKLM\SYSTEM\CurrentControlSet\Services\Dnscache

French security researcher Clément Labro, who discovered the zero-day, says that an attacker that has a foothold on vulnerable systems can modify these registry keys to activate a sub-key usually employed by the Windows Performance Monitoring mechanism.

"Performance" subkeys are usually employed to monitor an app's performance, and, because of their role, they also allow developers to load their own DLL files to track performance using custom tools.

While on recent versions of Windows, these DLLs are usually restricted and loaded with limited privileges, Labro said that on Windows 7 and Windows Server 2008, it was still possible to load custom DLLs that ran with SYSTEM-level privileges.

Issue discovered and disclosed accidentally

But while most security researchers report severe security issues like these to Microsoft in private, when they find them, in Labro's case, this was too late.

Labro said he discovered the zero-day after he released an update to PrivescCheck, a tool to check common Windows security misconfigurations that can be abused by malware for privilege escalation.

The update, released last month, added support for a new set of checks for privilege escalation techniques.

Labro said he didn't know the new checks were highlighting a new and unpatched privilege escalation method until he began investigating a series of alerts appearing on older systems like Windows 7, days after the release.

By that time, it was already too late for the researcher to report the issue to Microsoft in private, and the researcher chose to blog about the new method on his personal site instead.

ZDNet has reached out to Microsoft for comment today, but the OS maker has not provided an official statement before this article's publication.

Both Windows 7 and Windows Server 2008 R2 have officially reached end of life (EOL) and Microsoft has stopped providing free security updates. Some security updates are available for Windows 7 users through the company's ESU (Extended Support Updates) paid support program, but a patch for this issue has not been released yet.

It is unclear if Microsoft will patch Labro's new zero-day; however, ACROS Security has already put together a micro-patch, which the company released earlier today. The micro-patch is installed via the company's 0patch security software and prevents malicious actors from exploiting the bug through ACROS' unofficial patch.

Editorial standards