by Mitja Kolsek, the 0patch Team
Windows 7 and Server 2008 R2 users without Extended Security Updates have just received a micropatch for CVE-2020-1113, a Windows Task Scheduler Security Feature Bypass.
This vulnerability was patched by Microsoft with May 2020 Updates, but Windows 7 and Server 2008 users without Extended Security Updates remained vulnerable.
Security researcher Sylvain Heiniger (@) of @ analyzed this vulnerability and subsequently published a POC, from which we could reproduce the issue and create a micropatch.
The vulnerability lies in Task Scheduler accepting RPC requests that can be relayed. An attacker can piggyback on such requests by having some logged-on user send an SMB request to their computer, and then act as man-in-the-middle.
Microsoft's patch makes sure the authentication level of the RPC request received by Task Scheduler is RPC_C_AUTHN_LEVEL_PKT_PRIVACY, which prevents such piggybacking. Our micropatch does effectively the same, with just six CPU instructions on 32-bit Windows, and two CPU instructions on 64-bit Windows:
And a video of the micropatch in action:
We'd like to thank Sylvain Heiniger (@) for sharing their analysis and POC, which allowed us to create this micropatch for Windows users without official security updates. We also encourage security researchers to privately share their analyses with us for micropatching.
This micropatch is immediately available to all 0patch users with a PRO license, and is targeted at Windows 7 and Windows Server 2008 R2 users without Extended Security Updates. To obtain the micropatch and have it applied on your computer(s) along with other micropatches included with a PRO license, create an account in 0patch Central, install 0patch Agent and register it to your account. Note that no computer restart is needed for installing the agent or applying/un-applying any 0patch micropatch.
To learn more about 0patch, please visit our Help Center.