Windows Installer zero-day vulnerability gets free micropatch

[silversurfer]

Content source

https://www.bleepingcomputer.com/news/security/windows-installer-zero-day-vulnerability-gets-free-micropatch/

A vulnerability in the Windows Installer component, which Microsoft attempted to fix several times to no avail, today received a micropatch to deny hackers the option of gaining the highest privileges on a compromised system.

The issue affects Windows 7 through 10. Microsoft’s most recent effort to address the issue (CVE-2020-16902) was in October. A bypass, complete with proof-of-concept (PoC) exploit code emerged in late December 2020.

Temporary fix available

Mitja Kolsek, CEO of ACROS Security and co-founder of the 0patch micropatching service, explains how Naceri’s PoC for the vulnerability (no tracking number) works:
“The proof-of-concept is using a rollback script that changes the value of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Fax\ImagePath to c:\Windows\temp\asmae.exe, which results in the Fax Service using attacker's asmae.exe when the service is launched. This service was used because any user is allowed to launch it, and it's running as Local System” - Mitja Kolsek

Windows Installer zero-day vulnerability gets free micropatch

A vulnerability in the Windows Installer component, which Microsoft attempted to fix several times to no avail, today received a micropatch to deny hackers the option of gaining the highest privileges on a compromised system.

www.bleepingcomputer.com

 

[SomeRandomCat]

Didn't know about 0patch, nice.

 

[Gandalf_The_Grey]

An interesting concept but not for me.
I couldn't get the agent to start with my account logged in after a reboot or fresh start.
Had to manually login every time.
Even support couldn't help me with that.
So, I don't use it on any of my systems.
More info can be found here:
Home page:

Welcome to the era of vulnerability micropatching - 0patch

0patch.com

Blog:

0patch Blog

Security Patching Simplified To The Extreme

blog.0patch.com

 

[SomeRandomCat]

I didn't have any issues with it, on Windows 10 Pro. I did a little reading on their site and they basically claim that any security patches that affect home users are free, and ones that only affect corporate (server) users are not, so that seemed cool.

I guess if there are plenty of computer resources (CPU/RAM/etc) then running it would likely only be beneficial, although I don't know the likelihood of it saving the day.

 

[MacDefender]

facepalm gotta love the cleverness of attackers! On the iOS side, the most classic persistent jailbreaks were to add or hijack a launchd plist (equivalent to a service in Windows land) with a bogus one that exploits the system. Apple fixed that years back by forcing all such configuration files to be signed by Apple or refusing to executing them. Eventually there was a pretty famous targeted attack where instead of replacing the configuration file, attackers just replaced the actual executable with a LOLBin that could be abused to do the dirty work (all executables on iOS have to be signed by Apple anyway and system services in particular can only launch things signed as part of the original operating system). Starting from last year or so, Apple made the system image both read only and immutable as well as signed. I'm not aware of an attack that defeats this yet short of a ROM exploit that stops the OS from being able to secure itself.

This is always a cat and mouse game, and no scheme is perfect. But I do like seeing vendors that take an aggressively proactive approach to redesigning commonly exploited pathways to get rid of the problem instead of playing plug the leak.