Two newly discovered vulnerabilities have been found to impact an Internet Explorer-specific Event Log present on operating systems prior to Windows 11. Credit: Microsoft / Your Photo / Getty Images A pair of newly discovered vulnerabilities have highlighted the ongoing risks posed by Internet Explorer’s (IE) deep integration into the Windows ecosystem, despite Microsoft ending support for IE in June 2022.Discovered by the Varonis Threat Labs team, the exploits affect an IE-specific Event Log that is present on all current Windows operating systems up to, but not including, Windows 11. The vulnerabilities, dubbed LogCrusher and OverLog by the researchers, have been reported to Microsoft, which released a partial patch on October 11, 2022. Teams are urged to patch systems and monitor suspicious activity to mitigate security risks which include event log crashing and remote denial-of-service (DoS) attacks.Exploits affect functions of Microsoft Event Log Remoting ProtocolIn a Varonis Threat Labs blog posting, security researcher Dolev Taler wrote that both LogCrusher and OverLog use functions of the Microsoft Event Log Remoting Protocol (MS-EVEN), which allows for remote manipulation of a machine’s event logs. A Windows API function (OpenEventLogW) allows a user to open a handle for a specific event log on a local or remote machine and is useful for services that can use it to read, write, and clear event logs for remote machines without the need to connect manually to the machines themselves, the researcher added.“By default, low-privilege, non-administrative users cannot get a handle for event logs of other machines. The one exception to this is the legacy Internet Explorer log – which exists in every Windows version and has its own security descriptor that overrides the default permissions,” the blog read. LogCrusher crashes Event Log application of Windows machinesThe LogCrusher exploit is an ElfClearELFW logic bug that allows any domain user to remotely crash the Event Log application of any Windows machine on the domain, Varonis Threat Labs stated. “Unfortunately, the ElfClearELFW function has an improper input validation bug. It expects that the BackupFileName structure will be initialized with a zero value, but when the pointer to the structure is NULL, the process crashes,” Dolev wrote. By default, the Event Log service will try to restart itself two more times, but on the third time it will stay down for 24 hours. Many security controls rely on the normal operation of the Event Log service, and the impact of the crashing means that security controls can become blind, attached security control products can stop working and attackers can use any type of usually detected exploit or attack with impunity as many alerts won’t trigger, the blog continued.OverLog can be used to launch remote DoS attacks on Windows machinesThe OverLog vulnerability (CVE-2022-37981) can be used to exploit the BackupEventLogW function and launch a remote DoS attack by filling the hard drive space of any Windows machine on the domain, Taler stated. “The bug here is even more simple, and although it says in the documentation that the backup user needs to have SE_BACKUP_NAME privilege, the code does not validate it – so every user can backup files to a remote machine if they have write access to a folder on that machine,” he wrote. He also provided the following attack flow example: Get a handle to the Internet Explorer Event Log on the victim machineWrite some arbitrary logs to the Event Log (random strings; different lengths)Back up the log to a writeable folder on the machine (example: “c:windowstasks”) that every domain user has write permission to by defaultRepeat the backup process until the hard drive is full and the computer ceases operationVictim machine is unable to write “pagefile” (virtual memory), rendering it unusablePatch reduces risks, teams urged to monitor suspicious activityMicrosoft has opted not to fully fix the LogCrusher vulnerability on Windows 10 (more recent operating systems are unaffected), according to Taler. “As of Microsoft’s Oct. 11, 2022 Patch Tuesday update, the default permissions setting that had allowed non-administrative users access to the Internet Explorer Event Log on remote machines has been restricted to local administrators, greatly reducing the potential for harm,” he added. However, while this addresses this particular set of IE Event Log exploits, there remains potential for other user-accessible application Event Logs to be similarly leveraged for attacks, Taler warned. Therefore, the Microsoft-applied patch should be applied to all potentially vulnerable systems and security teams should monitor for suspicious activity, he concluded.Speaking to CSO, Tope Olufon, Senior Analyst at Forrester, says, “While this vulnerability should be patched, I would not classify the situation as high risk at this time. It requires a user account, and if that has been compromised, you will likely have bigger problems. Also, a patch has already been released (an administrator account is now needed for compromise, same point as above). Recommendations here are to install the Microsoft patch and monitor unusual write activity on crown jewels. Looking ahead, this is one of many vulnerabilities that will be discovered as Internet Explorer goes into extinction.” Related content news Amazon’s AWS Control Tower aims to help secure your data’s borders As digital compliance tasks and data sovereignty rules get ever more complicated, Amazon wants automation to help. By Jon Gold Nov 28, 2023 3 mins Regulation Regulation Government news North Korean hackers mix code from proven malware campaigns to avoid detection Threat actors are combining RustBucket loader with KandyKorn payload to effect an evasive and persistent RAT attack. By Shweta Sharma Nov 28, 2023 3 mins Malware feature How a digital design firm navigated its SOC 2 audit L+R's pursuit of SOC 2 certification was complicated by hardware inadequacies and its early adoption of AI, but a successful audit has provided security and business benefits. By Alex Levin Nov 28, 2023 11 mins Certifications Compliance news GE investigates alleged data breach into confidential projects: Report General Electric has confirmed that it has started an investigation into the data breach claims made by IntelBroker. By Shweta Sharma Nov 27, 2023 3 mins Data Breach Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe