This week Microsoft released a zero day patch for an unpatched local privilege escalation (LPE) vulnerability affecting all Windows 7 and Server 2008 R2 devices. The LPE vulnerability stems from the misconfiguration of two service registry keys and it enables local attackers to elevate their privileges on any fully patched Windows 7 and Server 2008 R2 system. Even though both Server 2008 R2 and Windows 7 reached end of support in Jan 2020, about 8% of Windows servers are still running it. As for Windows 7 – roughly 200 million PCs worldwide are still running older Windows versions, mostly Windows 7. So still a pretty substantial attack surface…
The vulnerability enables an attacker to gain arbitrary code execution through Windows Management Instrumentation (WMI) service which runs with LOCAL SYSTEM permissions. In other words, an attacker can essentially run any arbitrary code on a compromised device. Here is a link to the blog that uncovered the vulnerability and provides a proof of concept for exploiting it.
Like any zero day – the vulnerability was available for exploitation in the wild long before it was discovered. Any one doing a configuration scan (for the last few YEARS) would have encountered a weird recurring result that was usually ignored and written off as a false positive. Alert fatigue caused by the overwhelming number of vulnerabilities found in scanning means that it isn’t unusual for folks to ignore scanned findings. So, it wasn’t really a zero day – its presence was known – just ignored…
This is a good example of why too many notifications are the bane of cybersecurity. It also a good reminder that effective cyber defense needs (like any other process) a good continuous improvement cycle:
- Find and prioritize cyber security issues for your environment (red team)
- i.e. Vulnerability, Configuration, Access (privileges, credentials), Audit impairment (Logging)
- Propose primary control processes and actions for new top 10 issues (blue team)
- Apply recommended actions (IT)
- Assess security posture and propose compensating control processes for unresolved issues (blue team)
- Goto 1…
Effective prioritization by a purple team (live or automated) is the most effective way to implement continuous improvement – and for keeping your assets safe.