Two newly discovered vulnerabilities have been found to impact an Internet Explorer-specific Event Log present on operating systems prior to Windows 11. Credit: Microsoft / Your Photo / Getty Images A pair of newly discovered vulnerabilities have highlighted the ongoing risks posed by Internet Explorer’s (IE) deep integration into the Windows ecosystem, despite Microsoft ending support for IE in June 2022.Discovered by the Varonis Threat Labs team, the exploits affect an IE-specific Event Log that is present on all current Windows operating systems up to, but not including, Windows 11. The vulnerabilities, dubbed LogCrusher and OverLog by the researchers, have been reported to Microsoft, which released a partial patch on October 11, 2022. Teams are urged to patch systems and monitor suspicious activity to mitigate security risks which include event log crashing and remote denial-of-service (DoS) attacks.Exploits affect functions of Microsoft Event Log Remoting ProtocolIn a Varonis Threat Labs blog posting, security researcher Dolev Taler wrote that both LogCrusher and OverLog use functions of the Microsoft Event Log Remoting Protocol (MS-EVEN), which allows for remote manipulation of a machine’s event logs. A Windows API function (OpenEventLogW) allows a user to open a handle for a specific event log on a local or remote machine and is useful for services that can use it to read, write, and clear event logs for remote machines without the need to connect manually to the machines themselves, the researcher added.“By default, low-privilege, non-administrative users cannot get a handle for event logs of other machines. The one exception to this is the legacy Internet Explorer log – which exists in every Windows version and has its own security descriptor that overrides the default permissions,” the blog read. LogCrusher crashes Event Log application of Windows machinesThe LogCrusher exploit is an ElfClearELFW logic bug that allows any domain user to remotely crash the Event Log application of any Windows machine on the domain, Varonis Threat Labs stated. “Unfortunately, the ElfClearELFW function has an improper input validation bug. It expects that the BackupFileName structure will be initialized with a zero value, but when the pointer to the structure is NULL, the process crashes,” Dolev wrote. By default, the Event Log service will try to restart itself two more times, but on the third time it will stay down for 24 hours. Many security controls rely on the normal operation of the Event Log service, and the impact of the crashing means that security controls can become blind, attached security control products can stop working and attackers can use any type of usually detected exploit or attack with impunity as many alerts won’t trigger, the blog continued.OverLog can be used to launch remote DoS attacks on Windows machinesThe OverLog vulnerability (CVE-2022-37981) can be used to exploit the BackupEventLogW function and launch a remote DoS attack by filling the hard drive space of any Windows machine on the domain, Taler stated. “The bug here is even more simple, and although it says in the documentation that the backup user needs to have SE_BACKUP_NAME privilege, the code does not validate it – so every user can backup files to a remote machine if they have write access to a folder on that machine,” he wrote. He also provided the following attack flow example: Get a handle to the Internet Explorer Event Log on the victim machineWrite some arbitrary logs to the Event Log (random strings; different lengths)Back up the log to a writeable folder on the machine (example: “c:windowstasks”) that every domain user has write permission to by defaultRepeat the backup process until the hard drive is full and the computer ceases operationVictim machine is unable to write “pagefile” (virtual memory), rendering it unusablePatch reduces risks, teams urged to monitor suspicious activityMicrosoft has opted not to fully fix the LogCrusher vulnerability on Windows 10 (more recent operating systems are unaffected), according to Taler. “As of Microsoft’s Oct. 11, 2022 Patch Tuesday update, the default permissions setting that had allowed non-administrative users access to the Internet Explorer Event Log on remote machines has been restricted to local administrators, greatly reducing the potential for harm,” he added. However, while this addresses this particular set of IE Event Log exploits, there remains potential for other user-accessible application Event Logs to be similarly leveraged for attacks, Taler warned. Therefore, the Microsoft-applied patch should be applied to all potentially vulnerable systems and security teams should monitor for suspicious activity, he concluded.Speaking to CSO, Tope Olufon, Senior Analyst at Forrester, says, “While this vulnerability should be patched, I would not classify the situation as high risk at this time. It requires a user account, and if that has been compromised, you will likely have bigger problems. Also, a patch has already been released (an administrator account is now needed for compromise, same point as above). Recommendations here are to install the Microsoft patch and monitor unusual write activity on crown jewels. Looking ahead, this is one of many vulnerabilities that will be discovered as Internet Explorer goes into extinction.” Related content feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Mergers and Acquisitions Mergers and Acquisitions brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe