Microsoft Windows RCE Flaw Gets Temporary Micropatch

0patch released the fix for the remote code execution vulnerability in Windows, which has a CVSS score of 7.8.

Three unfixed Microsoft Windows vulnerabilities have been assigned unofficial, temporary micropatches – including a recently-disclosed high-severity remote code-execution flaw.

The micropatches were released Tuesday by ACROS Security’s 0patch platform. 0patch, which is still in its beta stage, applies temporary micropatches for product vulnerabilities that have not yet been assigned a fix.

One of the micropatches addresses a high-severity Windows flaw that enables arbitrary remote code-execution. The vulnerability was disclosed by Zero Day Initiative researcher John Page on Jan. 10 in a coordinated public release. However, Microsoft has not yet issued a patch for the flaw, which ranks 7.8 on the CVSS scale.

“Microsoft has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible,” a Microsoft spokesperson told Threatpost. “Our standard policy is to provide solutions via our current Update Tuesday schedule.”

According to ZDI’s release, “this vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.”

The flaw exists in the way that VCF and CONTACT files process data. VCF and CONTACT files are associated with the Windows Contacts application, which allows users to import contacts. Users can navigate their Contacts folder and select a VCF contacts file (also known as vCard) they would like to import.

The way these Windows files craft and process data can allow them to display a dangerous hyperlink.

The flaw allows an attacker to run executables that sit unseen in the attackers’ directory. An attacker is able to run an executable file when certain “.contact” of VCF files are processed.

However, it’s not a quick or simple exploit to maneuver: The attacker would need to get the user to open a malicious VCF or CONTACT file and click on the displayed dangerous link, which would then launch the attacker’s executable.

“An attacker can leverage this vulnerability to execute code in the context of the current user,” according to ZDI’s release.

A micropatch has been released for fully updated 64-bit Windows 10 version 1803 and fully updated 64-bit Windows 7.

In order to protect against the flaw, the micropatch blocks certain command that launches potential executables when a URL containing malicious executables are clicked on by potential victims: “We simply added some logic before this call to make sure that if the URL doesn’t start with “mailto:”, “http://” or “https://”, it gets prepended with “http://” to prevent any possible launching of local executables,” said Mitja Kolsek, with 0patch, in his detailing of the micropatch.

According to ZDI, Microsoft advised researchers that its “engineering team had decided to pursue the fix as v.Next,” and, “Microsoft has decided that it will not be fixing this vulnerability and we are closing this case.”

The other two vulnerabilities addressed by 0patch were published by a researcher who goes by SandboxEscaper on Twitter, who has disclosed several zero-day vulnerabilities over the past few months. One of the flaws, which SandboxEscaper dubbed “angrypolarberbug,” allows a local unprivileged process to get any chosen file on the system overwritten.

The flaw, which does not yet have a CVE, stems from the fact that a Windows Error Reporting Service can create a temporary XML file (C:\ProgramData\Microsoft\Windows\WER\Temp\ folder). This folder has inheritable permissions that include read, write and delete access for authenticated users (including a local attacker). That means that a bad actor could theoretically create a new XML file containing a low-privileged malicious process and would be able to execute that file under higher privileges, said 0patch.

“The attacker has very little control over the content of this XML file, so the demonstration provided by SandboxEscaper was a local denial of service by corrupting a critical system file pci.sys, which prevents the system from booting,” Kolsek said. “One can imagine potentially finding some other file to overwrite that would lead to execution of attacker’s code under higher privileges such as SYSTEM or Administrator — but to our knowledge, such example has not been published.”

The micropatch makes a small change by having the Windows Error Reporting Service creating the XML file specify permissions.

The other micropatch addresses another flaw released by SandboxEscaper. The vulnerability allows an unprivileged process running on a Windows computer to obtain the content of arbitrary file – even if permissions on such file don’t allow it read access.

The flaw exists in Windows Installer’s advertisement functionality, which can be triggered using the MsiAdvertiseProduct function. When a product is advertised, Windows Installer makes a temporary copy file for this product – but that temporary file gives bad actors potential permissions to read the content on it.

However, “Due to file permissions on the temporary MSI file, which allow everyone read access, an attacker can thus trick the Windows Installer Service to copy the content of arbitrary file to the temporary MSI file, and then read that file to obtain said content,” according to Kolsek.

The micropatch tweaks the development of these temporary files so that the permissions on the temporary MSI file are the same as on the file being copied, and “the attacker gains nothing from this process.”

Suggested articles