Temporary micropatch available for zero-day Windows exploit

A publicly disclosed Windows zero-day vulnerability could allow attackers to take full control of systems once they compromise a low-privilege account. Here's a fix.

3 patch training update software band aid laptop with virus binary
Getty Images

Microsoft has left two publicly known vulnerabilities unpatched in Windows this month, but researchers have stepped in and created temporary patches that can be easily applied to protect systems until an official fix becomes available.

During the last two weeks of December, a security enthusiast who uses the online handle SandboxEscaper released details and proof-of-concept exploit code for two privilege escalation vulnerabilities in Windows. Researchers from ACROS Security have released a temporary "micropatch" for one of them through 0patch, a service that provides in-memory binary patching for zero-day flaws, and they are currently testing a patch for the secondary issue as well.

One of SandboxEscaper's vulnerabilities allows a low-privileged user to read any file on the system, including those belonging to other users. The exploit abuses a Windows feature called MsiAdvertiseProduct that performs operations with SYSTEM privileges, so it can lead to information disclosure, especially if attackers know the path to potentially sensitive files they can expose.

The second vulnerability is even more serious and allows low-privileged users to overwrite arbitrary files as SYSTEM, potentially leading to arbitrary code execution with the highest possible privilege. This flaw has been dubbed the AngryPolarBearBug and is the one that 0patch.com has released a micropatch for.

Privilege escalation vulnerabilities do not allow hackers to break into computers remotely without user interaction. However, once attackers compromise a low-privileged account through some other method, like malware delivered via email, they can exploit such bugs to take full control of systems. SandboxEscaper has disclosed four Windows privilege escalation flaws since August and the first one, located in the Windows Task Scheduler, was quickly used by hackers in attacks before Microsoft was able to release a patch.

Fortunately, the AngryPolarBearBug is not as easy to exploit as the Windows Task Scheduler one because it is a race condition, so it takes multiple retries to succeed, and because attackers can't fully control the data with which files are being overwritten. The proof-of-concept released by SandboxEscaper overwrites a critical system file that’s needed during the Windows boot process, leading to a denial-of-service condition rather than to arbitrary code execution. However, this doesn't mean that achieving code execution is not possible.

"Our micropatch is for Windows 10 version 1803 64-bit," Mitja Kolsek, CEO of ACROS Security and co-founder of the 0patch.com service, says. "We often make a micropatch just for one or several most popular versions and wait for users to express interest in porting to other versions as needed."

How the micropatch is applied

Applying the temporary patch requires installing a small software agent from 0patch.com, which will then patch the vulnerable Windows process directly in memory without touching the file on disk. This process in known as micropatching and does not need restarting the OS or even the vulnerable process. The patch can then be removed with a click of a button without leaving any trace behind when the official Microsoft update is ready to be applied.

Micropatching can be useful in multiple situations. In addition to eliminating zero-day flaws for which no official patch exists, it can be used to fix newly discovered flaws in software or operating system versions that are no longer supported by their developers. It can also be used as a temporary solution in cases where applying an official patch would require restarting an affected system or application that performs a critical task.

Microsoft releases patches on the second Tuesday of every month, a day that has become known in the software industry as Patch Tuesday. It rarely breaks out of that cycle and typically releases out-of-band security patches only if a critical zero-day vulnerability is being exploited in widespread attacks. This means that the company is unlikely to fix SandboxEscaper's AngryPolarBearBug and arbitrary file read flaw until at least February 12.

FREE Download: Get the Spring 2019 digital issue of CSO magazine today!