Not every Windows vulnerability requires patching according to Microsoft. When Microsoft analyses reported vulnerabilities, it may conclude that a vulnerability does not meet the bar for servicing.
Exactly this happened to a security researcher recently who reported a Windows Event Log vulnerability to Microsoft. Successful exploitation of the vulnerability results in a crash of the Windows Event Log service. The vulnerability requires authentication but no special user privileges. Attacks may crash the service on local or remote devices.
The vulnerability affects Windows 10 and Windows Server 2022 devices according to the researcher. 0Patch discovered later that it affects more Windows systems. On the client side, all Windows operating systems starting with Windows 7. On the server side, all Windows server operating systems starting with Windows Server 2008 R2.
The researcher published a proof of concept of the vulnerability on GitHub. A short demo GIF is also available there.
0Patch steps in, creates free micro-patch
Micro-patching service 0Patch analyzed the issue. It discovered that the proof of concept was “remarkably simple” and that attacks did not take more than a second to execute.
The Windows Event Log service restarts if it stops, but this happens only twice according to 0Patch. Attackers may run the attack multiple times to stop it for the session.
No events are logged when the service is not running. This means that events cannot be read either while the service is down. 0Patch notes on its website that Windows keeps a separate record of security and system events when the logging service is down.
These are added to the log when it is up again. Company engineers discovered that the information persists across sessions, but that it gets lost when the system crashes.
To sum it up: a successful attack, which includes a crash of the system in the end, may prevent the logging of any events on the system. This makes forensic work difficult on attacked systems and may be exploited by malicious actors to cover their tracks even better.
0Patch writes:
During the service downtime, any detection mechanisms ingesting Windows logs will be blind, allowing the attacker to take time for further attacks – password brute-forcing, exploiting remote services with unreliable exploits that often crash them, or running every attacker’s favorite whoami – without being noticed.
0Patch created a free micro-patch that addresses the vulnerability in all affected versions of Windows.
The patch requires the installation of 0Patch Agent on affected systems. 0Patch continues to support some Windows systems that Microsoft does not support anymore. Windows 10 will also receive extended support by 0Patch, but also by Microsoft through its Extended Security Updates program.
Additional information, including vulnerability and patch details, are available on the 0Patch website.
Closing Words
Whether it is necessary to patch the vulnerability depends on risk assessment. Most home users are not targeted by sophisticated attacks, but this may be different for organizations.
The patch is free at the moment and it will stay that way. Only the release of an official patch by Microsoft may change that in the future.