by Mitja Kolsek, the 0patch Team
Windows 7 and Server 2008 R2 users without Extended Security Updates have just received a micropatch for CVE-2020-1281, an integer overflow vulnerability in Windows OLE marshaling that could allow a remote attacker to execute arbitrary code on user's computer.
This vulnerability was patched by Microsoft with June 2020 Updates, but Windows 7 and Server 2008 R2 users without Extended Security Updates remained vulnerable.
Security researcher Yuki Chen found the vulnerability, wrote an in-depth analysis, analyzed Microsoft's patch and provided a POC for triggering the vulnerability.
The vulnerability is in the way new object size is being calculated when an object is enlarged (e.g., in string concatenation). This new size is then used for allocating memory for the resulting "enlarged" object.
The vulnerable code doesn't account for really large numbers where adding would exceed the capacity of 32-bit numbers. In such cases, an integer overflow occurs, a too-small memory block is allocated, and subsequent copying to this new block overwrites memory outside of it.
Microsoft's patch modified several functions related to calculating the object size. We decided to only patch the one that is proven to be exploitable at this point (BSTR_UserSize). Upon detecting an overflow, our patch reports "Exploit Blocked" and terminates the process:
Here's a video of our micropatch in action:
We'd like to thank Yuki Chen for an excellent analysis and POC for this issue, which allowed us to create a micropatch for Windows users without security updates.
This micropatch is immediately available to all 0patch users with a PRO license, and is targeted at Windows 7 and Windows Server 2008 R2 users without Extended Security Updates. To obtain the micropatch and have it applied on your computer(s) along with other micropatches included with a PRO license, create an account at 0patch Central, install 0patch Agent and register it to your account. Note that no computer restart is needed for installing the agent or applying/un-applying any 0patch micropatch.
To learn more about 0patch, please visit our Help Center.