by Mitja Kolsek, the 0patch Team
Windows 7 and Server 2008 R2 users without Extended Security Updates have just received a micropatch for CVE-2020-1015, a memory corruption vulnerability in User-Mode Power Service that could allow a local attacker to execute arbitrary code as Local System.
This vulnerability was patched by Microsoft with April 2020 Updates, but Windows 7 and Server 2008 R2 users without Extended Security Updates remained vulnerable.
Security researcher 0xeb_bp analyzed the official patch, wrote an in-depth analysis, determined the root cause of the vulnerability, and published a tool that crashes the Power Service.
The vulnerability provides a "race condition" in requests for a legacy RPC function because the code processing these requests was not properly enclosed in critical sections. Multiple concurrent requests can corrupt memory and result in arbitrary code execution in the service.
Microsoft's patch effectively enclosed most of the legacy RPC function (UmpoRpcLegacyEventRegisterNotication) into a critical section. Our micropatch does logically the same with two patchlets, 5 instructions in each.
We'd like to thank @0xeb_bp for an excellent analysis and POC for this issue, which allowed us to create a micropatch for Windows users without security updates.
This micropatch is immediately available to all 0patch users with a PRO license. To obtain the micropatch and have it applied on your computer(s) along with other micropatches included with a PRO license, create an account at 0patch Central, install 0patch Agent and register it to your account. Note that no computer restart is needed for installing the agent or applying/un-applying any 0patch micropatch.
To learn more about 0patch, please visit our Help Center.