To most everyone's surprise, not as the local user, but as Local System. These didn't immediately seem exploitable, but Clément did the legwork and found the Windows Performance Monitoring mechanism can be made to read from these keys - and eventually load the DLL provided by the local attacker. HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper.HKLM\SYSTEM\CurrentControlSet\Services\Dnscache.
#WINDOWS SERVER 2008 SECURITY UPDATE BREAKS WINDOWS UPDATE WINDOWS 7#
On a typical Windows 7 and Server 2008 R2 machine, the tool found that all local users have write permissions on two registry keys: Consequently, vulnerabilities like this one get our attention - and, usually, micropatches.Ĭlément wrote a very useful permissions-checking tool for Windows that find various misconfigurations in Windows that could allow a local attacker to elevate their privileges. Although these Windows platforms have reached end of support in January this year but Extended Security Updates (ESU) are still available for them until January 2023 - so even fully ESU-updated machines are currently affected by this issue.Īs an alternative to ESU, we at 0patch have "security adopted" Windows 7 and Windows Server 2008 R2 and are providing critical security patches for these platforms.
On November 12, 2020, security researcher Clément Labro published a detailed analysis of a local privilege escalation vulnerability affecting Windows 7 and Windows Server 2008 R2 for which no official fix exists yet (at the time of this writing).