Friday, February 7, 2025

Micropatches Released for Active Directory Certificate Services Elevation of Privilege Vulnerability (CVE-2024-49019)


November 2024 Windows updates brought a fix for CVE-2024-49019, a privilege escalation vulnerability allowing, under specific conditions, a domain user to create a certificate for another domain user, e.g., domain administrator - and then use it for logging in as that user.

The vulnerability was reported to Microsoft by security researchers Lou Scicchitano, Scot Berner, and Justin Bollinger with TrustedSec.

Justin then published a detailed article on this vulnerability,which allowed us to reproduce the issue and create our own patches for security-adopted Windows versions that are no longer receiving updates from Microsoft.

 

Microsoft's Patch

Microsoft patched this by adding a new function call that disables the Extended Key Usage attribute.

 

Our Micropatch

Our patch performs the same operation with additional optimizations to logic and code flow.


Micropatch Availability

Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

  1. Windows Server 2008 R2 - - fully updated without ESU, with ESU 1, ESU 2, ESU 3 or ESU 4
  2. Windows Server 2012 - fully updated without ESU, with ESU 1
  3. Windows Server 2012 R2 - fully updated without ESU, with ESU 1

 

Only Windows Servers are affected by this issue.

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that). 

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

We would like to thank researchers  Lou Scicchitano, Scot Berner, and Justin Bollinger with TrustedSec for publishing their analysis, which made it possible for us to create a micropatch for this issue.

Did you know 0patch will security-adopt Windows 10 when it goes out of support in October 2025, allowing you to keep using it for at least 5 more years? Read more about it here.

To learn more about 0patch, please visit our Help Center.

Micropatches Released for Windows OLE Remote Code Execution (CVE-2025-21298)

  

January 2025 Windows updates brought a fix for CVE-2025-21298, a memory corruption issue in Windows OLE data processing that can be exploited by a malicious Word document or a malicious email read in Outlook to execute arbitrary code on user's computer. (Probably also in multiple other ways, but these would be the obvious attack scenarios.)

The vulnerability was reported to Microsoft by security researchers Jmini, Rotiple, D4m0n with Trend Micro Zero Day Initiative.

Subsequently, security researcher Miloš published their analysis and POC of this vulnerability,which allowed us to reproduce the issue and create our own patches for security-adopted Windows versions that are no longer receiving updates from Microsoft.

 

Microsoft's Patch

The root cause of this issue is in function UtOlePresStmToContentsStm free'ing a stream object, but then storing the just free'd pointer which subsequently gets used again.

Microsoft patched this issue by overwriting the free's stream pointer with NULL, preventing its subsequent use.

 

Our Micropatch

Our patch does the exact same thing as Microsoft's.


Micropatch Availability

Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

  1. Windows 11 v21H2 - fully updated
  2. Windows 10 v21H2 - fully updated
  3. Windows 10 v21H1 - fully updated
  4. Windows 10 v20H2 - fully updated
  5. Windows 10 v2004 - fully updated
  6. Windows 10 v1909 - fully updated
  7. Windows 10 v1809 - fully updated
  8. Windows 10 v1803 - fully updated
  9. Windows 7 - fully updated without ESU, with ESU 1, ESU 2 or ESU 3
  10. Windows Server 2008 R2 - - fully updated without ESU, with ESU 1, ESU 2, ESU 3 or ESU 4
  11. Windows Server 2012 - fully updated without ESU, with ESU 1
  12. Windows Server 2012 R2 - fully updated without ESU, with ESU 1

 

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that). 

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

We would like to thank researchers Jmini, Rotiple, and D4m0n for sharing their finding with Microsoft, and security researcher Miloš for publishing their analysis and POC, which made it possible for us to create a micropatch for this issue.

Did you know 0patch will security-adopt Windows 10 when it goes out of support in October 2025, allowing you to keep using it for at least 5 more years? Read more about it here.

To learn more about 0patch, please visit our Help Center.

Tuesday, February 4, 2025

Micropatches Released for Windows Task Scheduler Elevation of Privilege Vulnerability (CVE-2024-49039)

 

November 2024 Windows updates brought a fix for CVE-2024-49039, a local privilege escalation issue allowing low-integrity code running on the computer to execute arbitrary medium-integrity code as the same user. This can be useful for escaping low-integrity sandboxes such as those in modern web browsers (such as Mozilla Firefox) and document readers.

In short: if you are malicious code executed with low integrity, you create a scheduled task to be executed as you, then Task Scheduler executes this task with default (medium) integrity. Sandbox escaped.

The vulnerability was reported to Microsoft by the Mozilla Security Team, and by Vlad Stolyarov and Bahare Sabouri of Google's Threat Analysis Group.

Subsequently, security researcher je5442804 published their analysis and POC of this vulnerability,which allowed us to reproduce the issue and create our own patches for security-adopted Windows versions that are no longer receiving updates from Microsoft.

 

Microsoft's Patch

Microsoft patched this issue with new flags on the Task Scheduler RPC interface which prevents a low-integrity process from accessing it.

 

Our Micropatch

We decided to rather patch the TaskSchedulerCreateSchedule function, which is used to create the scheduled task. There, we check the requesting process's integrity before creating the task and deny the creation if the process has low integrity.


Micropatch Availability

Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

  1. Windows 11 v21H2 - fully updated
  2. Windows 10 v21H2 - fully updated
  3. Windows 10 v21H1 - fully updated
  4. Windows 10 v20H2 - fully updated
  5. Windows 10 v2004 - fully updated
  6. Windows 10 v1909 - fully updated
  7. Windows 10 v1809 - fully updated
  8. Windows 10 v1803 - fully updated
The vulnerability was first introduced with Windows 10, therefore it does not exist on Windows 7, Windows Server 2008 and Windows Server 2012  (so no patches were needed there).

 Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that). 

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

We would like to thank je5442804 for sharing their analysis and POC, which made it possible for us to create a micropatch for this issue.

Did you know 0patch will security-adopt Windows 10 when it goes out of support in October 2025, allowing you to keep using it for at least 5 more years? Read more about it here.

To learn more about 0patch, please visit our Help Center.





Monday, February 3, 2025

Micropatches Released for NTLM Hash Disclosure Spoofing Vulnerability (CVE-2024-43451)

 

November 2024 Windows updates brought a fix for CVE-2024-43451, an NTLM hash disclosure vulnerability that allows an attacker to obtain user's Net-NTLM hash when the user right-clicks, deletes or moves a malicious .url file to another folder.

The vulnerability was reported to Microsoft by Israel Yeshurun with ClearSky Cyber Security, who subsequently also published a detailed report. The report allowed us to reproduce the issue and create our own patches for security-adopted Windows versions that are no longer receiving updates from Microsoft.

 

Microsoft's Patch

Microsoft patched this issue by replacing the IECreateFromPathCPWithBCW function with a new version that has an updated check for network paths. Multiple new tests are performed including calls to MapUrlToZone and IsFileURLW. They also added checks for special characters in the path, but all these additional checks were done to exclude some network paths (which Microsoft deemed legitimate) from being blocked.

 

Our Micropatch

As we could imagine no important real-world use of  letting .url files to automatically load resources from the Internet, we blocked this feature in its entirety by calling MapUrlToZone on the provided file path and only allowing requests from Trusted Sites zone, Local Intranet zone and Local Computer zone. This blocks all automatically triggered Internet resource requests from .url shortcut files without limiting these files' functionality.


Micropatch Availability

Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

  1. Windows 11 v21H2 - fully updated
  2. Windows 10 v21H2 - fully updated
  3. Windows 10 v21H1 - fully updated
  4. Windows 10 v20H2 - fully updated
  5. Windows 10 v2004 - fully updated
  6. Windows 10 v1909 - fully updated
  7. Windows 10 v1809 - fully updated
  8. Windows 10 v1803 - fully updated
  9. Windows 7 - fully updated without ESU, or with ESU 1, ESU 2 or ESU 3
  10. Windows Server 2012, Server 2012 R2 - fully updated without ESU, or with ESU1
  11. Windows Server 2008 R2 - fully updated without ESU, or with ESU 1, ESU 2, ESU 3 or ESU 4
 
Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that). 

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

We would like to thank Israel Yeshurun with ClearSky Cyber Security for sharing their analysis, which made it possible for us to create a micropatch for this issue.

Did you know 0patch will security-adopt Windows 10 when it goes out of support in October 2025, allowing you to keep using it for at least 5 more years? Read more about it here.

To learn more about 0patch, please visit our Help Center.




Tuesday, January 14, 2025

Micropatches Released for Windows "LDAPNightmare" Denial of Service Vulnerability (CVE-2024-49113)


December 2024 Windows Updates brought a patch for CVE-2024-49113 a.k.a. "LDAPNightmare", a denial of service vulnerability in Windows LDAP client code. The vulnerability allows an attacker to crash the LDAP client process after coercing it to connect to their malicious LDAP server; if the client process happens to be an important Windows service such as lsass.exe, its crashing would lead to computer reboot.

The vulnerability was discovered and reported to Microsoft by security researcher Yuki Chen. After Microsoft's patch was issued, researchers Or Yair and Shahak Morag of SafeBreach reversed it, recreated a proof of concept, and issued a detailed analysis.

These allowed us to reproduce the issue and create our own patches for it for security-adopted Windows versions that are no longer receiving updates from Microsoft.

 

The Vulnerability

The vulnerability allows a malicious LDAP server to cause an out-of-bounds read operation in the memory space of the client process on the remote computer when processing LDAP referral data. This crashes said process, which can range from insignificant (when connecting to attacker's computer with a command-line LDAP app) to serious (when attacker coerces an important server to connect to their LDAP server, getting the server to crash as described in the SafeBreach article).

 

Microsoft's Patch

Microsoft patched this issue by comparing the server-supplied referral "index" to the size of the referral table in function LdapChaseReferral (wldap32.dll).

Our Micropatch

Our patch is functionally identical to Microsoft's.


Micropatch Availability

Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

  1. Windows 11 v21H2 - fully updated
  2. Windows 10 v21H2 - fully updated
  3. Windows 10 v21H1 - fully updated
  4. Windows 10 v20H2 - fully updated
  5. Windows 10 v2004 - fully updated
  6. Windows 10 v1909 - fully updated
  7. Windows 10 v1809 - fully updated
  8. Windows 10 v1803 - fully updated
  9. Windows 7 - fully updated without ESU, or with ESU 1, ESU 2 or ESU 3
  10. Windows Server 2012, Server 2012 R2 - fully updated without ESU
  11. Windows Server 2008 R2 - fully updated without ESU, or with ESU 1, ESU 2, ESU 3 or ESU 4
 
Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that). 

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

We would like to thank Or Yair and Shahak Morag of SafeBreach for sharing their analysis and proof-of-concept, which made it possible for us to create a micropatch for this issue.Yuki Chen

To learn more about 0patch, please visit our Help Center.

Thursday, December 5, 2024

URL File NTLM Hash Disclosure Vulnerability (0day) - and Free Micropatches for it

 

Our researchers discovered a vulnerability on all Windows Workstation and Server versions from Windows 7 and Server 2008 R2 to the latest Windows 11 v24H2 and Server 2022. The vulnerability allows an attacker to obtain user's NTLM credentials by simply having the user view a malicious file in Windows Explorer - e.g., by opening a shared folder or USB disk with such file, or viewing the Downloads folder where such file was previously automatically downloaded from attacker's web page.

We reported this issue to Microsoft, and - as usual - issued micropatches for it that will remain free until Microsoft has provided an official fix.

We are withholding details on this vulnerability until Microsoft's fix becomes available to minimize the risk of malicious exploitation. 

This is the third 0day we have recently found and reported to Microsoft, after the Windows Theme file issue (still a 0day without an official patch) and the Mark of the Web issue on Server 2012 (also still a 0day without an official patch).

In addition, the "EventLogCrasher" vulnerability, allowing an attacker to disable all Windows event logging on all domain computers (reported to Microsoft in January this year by security researcher Florian), is still waiting for an official patch so our patches for it are the only ones available.

There are also currently three NTLM-related publicly known "wont fix" vulnerabilities that Microsoft decided not to patch with 0patch patches available: PetitPotam, PrinterBug/SpoolSample and DFSCoerce. All of these are present on all latest fully updated Windows versions, and if your organization is using NTLM for any reason, it could be affected.

Currently, 40% of our users are using 0patch for protection against 0day and "wont fix" vulnerabilities, while others use 0patch for keeping their legacy Windows systems and Office versions secure with our security patches.


Micropatch Availability

Since this is a "0day" vulnerability with no official vendor fix available, we are providing our micropatches for free until such fix becomes available.

Micropatches were written for:

 Legacy Windows versions:

  1. Windows 11 v21H2 - fully updated
  2. Windows 10 v21H2 - fully updated
  3. Windows 10 v21H1 - fully updated
  4. Windows 10 v20H2 - fully updated
  5. Windows 10 v2004 - fully updated
  6. Windows 10 v1909 - fully updated
  7. Windows 10 v1809 - fully updated
  8. Windows 10 v1803 - fully updated
  9. Windows 7 - fully updated with no ESU, ESU 1, ESU 2 or ESU 3
  10. Windows Server 2012 - fully updated with no ESU or ESU 1
  11. Windows Server 2012 R2 - fully updated with no ESU or ESU 1
  12. Windows Server 2008 R2 - fully updated with no ESU, ESU 1, ESU 2, ESU 3 or ESU 4

 Windows versions still receiving Windows Updates:

  1. Windows 11 v24H2 - fully updated   
  2. Windows 11 v23H2 - fully updated
  3. Windows 11 v22H2 - fully updated
  4. Windows 10 v22H2 - fully updated
  5. Windows Server 2022 - fully updated
  6. Windows Server 2019 - fully updated 
  7. Windows Server 2016 - fully updated 
  8. Windows Server 2012 fully updated with ESU 2
  9. Windows Server 2012 R2 fully updated with ESU 2

 

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

 

Did you know 0patch will security-adopt Windows 10 when it goes out of support in October 2025, allowing you to keep using it for at least 5 more years? Read more about it here.

To learn more about 0patch, please visit our Help Center.



Thursday, November 28, 2024

Windows Server 2012 Mark of the Web Vulnerability (0day) - and Free Micropatches for it


Our researchers discovered a previously unknown vulnerability on Windows Server 2012 and Server 2012 R2 that allows an attacker to bypass a security check otherwise enforced by Mark of the Web on certain types of files.

Our analysis revealed this vulnerability was introduced to Windows Server 2012 over two years ago, and remained undetected - or at least unfixed - until today. It is even present on fully updated servers with Extended Security Updates.

We reported this issue to Microsoft, and, as usual, issued micropatches for it that will remain free until Microsoft has provided an official fix.

We are withholding details on this vulnerability until Microsoft's fix becomes available to prevent malicious exploitation.


Micropatch Availability

Since this is a "0day" vulnerability with no official vendor fix available, we are providing our micropatches for free until such fix becomes available.

Micropatches were written both for our:

 Legacy Windows versions:

  1. Windows Server 2012 updated to October 2023
  2. Windows Server 2012 R2 updated to October 2023

 Windows versions still receiving Windows Updates:

  1. Windows Server 2012 fully updated with Extended Security Updates
  2. Windows Server 2012 R2 fully updated with Extended Security Updates

 

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

 

Did you know 0patch will security-adopt Windows 10 when it goes out of support in October 2025, allowing you to keep using it for at least 5 more years? Read more about it here.

To learn more about 0patch, please visit our Help Center.