A French security researcher accidentally discovered a security vulnerability affecting Windows 7 and Windows Server 2008 R2 while working on a Windows security tool update.
The vulnerability lies in two registry keys that were fault-configured for RPC Endpoint Mapper and DNS Cache services, which are part of all Windows installations.
“An attacker with access to vulnerable systems can modify these registry keys to activate a sub-switch that is commonly used by windows performance monitoring mechanism,” says French security researcher Clément Labro.
Subperformance keys are usually used to monitor application performance, and because of their role, they also allow developers to download DLL files to track performance using special tools.
While in recent versions of Windows these DLL libraries are usually restricted and provided with limited privileges.
LaPro said: It is still possible in Windows 7 and Windows Server 2008 to download private DLL libraries that operate with system-wide privileges.
Most Microsoft security researchers report serious security problems like this when they find them, but in laPro’s case, it’s too late.
LaPro said he discovered the loophole after he released an update to privescCheck to check for common windows security error configurations, which malware can misuse to escalate privileges.
The PrivescCheck update added support for a new set of checks for concession escalation techniques.
“I didn’t know that the new tests highlighted a new way to escalate the privileges until I started investigating a series of alerts that appear across older systems, such as Windows 7, days after the tool’s update was released,” LaPro said.
By then, it was too late for the researcher to inform Microsoft of the problem, and the researcher chose instead to blog about the new method through his personal site.
Windows 7 and Windows Server 2008 R2 officially reached the end of life, and Microsoft stopped providing free security updates.
Some security updates are available for Windows 7 users through the ESU paid support program, but no correction has yet been issued for this issue.
It is not clear whether Microsoft will fix the new vulnerability.