By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy

A micropatch implementing Microsoft's workaround for the actively exploited zero-day remote code execution (RCE) vulnerability impacting Internet Explorer is now available via the 0patch platform until an official fix will be released. Microsoft's advisory says that the company is aware of "limited targeted attacks" targeting the flaw tracked as CVE-2020-0674. The vulnerability, reported by Clément Lecigne of Google’s Threat Analysis Group and Ella Yu from Qihoo 360, "could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user" according to Microsoft. If the user is logged on with administrative permissions on a compromised device, attackers can take full control of the system allowing for program installation and data manipulation, or the possibility to create accounts with full user rights. While no patch for this security issue has been provided so far, Redmond is working on a fix that could be pushed out as an out-of-band security update before next month's Patch Tuesday, just as it happened when a very similar Internet Explorer RCE zero-day was fixed in September 2019. As 0patch found, the mitigation provided by Redmond also comes with several other negative side effects. 0patch created and released a micropatch for Internet Explorer 11, the latest version of the web browser, ready to be applied on fully-patched devices running of Windows 7, Windows 10 v1709/v1803/v1809, Windows Server 2008 R2, and Windows Server 2019. Applying it on these systems will also protect Windows 7 and Windows Server 2008 R2 users that haven't enrolled in the Extended Security Updates program in the event that Microsoft won't be releasing security fixes for their platform. "Our micropatch works like a switch that disables or enables the use of vulnerable jscript.dll by Internet Explorer's browser component in various applications (IE, Outlook, Word,...)," 0patch co-founder Mitja Kolsek explained. "If you're a 0patch user, you already have this micropatch downloaded to all your online computers with 0patch Agent, and - depending on your settings - already automatically applied to all processes using the Internet Explorer 11 engine for rendering content. For more in-depth reading visit OUR FORUM.

Two proofs-of-concept (PoC) exploits have been publicly released for the recently-patched crypto-spoofing vulnerability found by the National Security Agency and reported to Microsoft. The vulnerability (CVE-2020-0601) could enable an attacker to spoof a code-signing certificate (necessary for validating executable programs in Windows) in order to make it appear like an application was from a trusted source. The flaw made headlines when it was disclosed earlier this week as part of Microsoft’s January Patch Tuesday security bulletin. It marked the first time the NSA had ever publicly reported a bug to Microsoft. The two PoC exploits were published to GitHub on Thursday. Either could potentially allow an attacker to launch MitM (man-in-the-middle) attacks – allowing an adversary to spoof signatures for files and emails and fake signed-executable code inside programs that are launched inside Windows. One PoC exploit was released by Kudelski Security and the other by a security researcher under the alias “Ollypwn”. According to Microsoft’s advisory, the spoofing vulnerability exists in the way Windows CryptoAPI (Microsoft’s API that enables developers to secure Windows-based applications using cryptography) validates Elliptic Curve Cryptography (ECC) certificates. Kudelski Security in a blog post said they launched the PoC using a “curve P384” certificate, which uses ECC (specifically, the USERTrust ECC Certificate Authority). Researchers were able to craft a key used to sign the “curve P384” certificate with an arbitrary domain name. This certificate would subsequently be recognized by Windows’ CryptoAPI as trusted. Another similar PoC exploit was publicly released by Denmark-based security expert “Ollypwn.” “When Windows checks whether the certificate is trusted, it’ll see that it has been signed by our spoofed CA,” said “Ollypwn” in a write up of his PoC exploit. “It then looks at the spoofed CA’s public key to check against trusted CA’s. Then it simply verifies the signature of our spoofed CA with the spoofed CA’s generator – this is the issue.” A third PoC exploit was developed by security expert Saleem Rashid; who said on Twitter, Wednesday, that the PoC allowed him to fake TLS certificates and set up sites that look like legitimate ones. However, Rashid did not make his PoC exploit code public. To read the warnings, and more please visit OUR FORUM.

Microsoft has ended official support for Windows 7 on January 14 — 11 years after it first launched to rave reviews. Although Windows 10 eventually managed to overtake Windows 7's market share, many businesses and even home users continue to use Windows 7 despite Microsoft constantly urging them to upgrade. After January 14, Windows 7 users won't be getting any free support including any security updates. While your PC won't automagically stop working after January 14, not having timely security updates can comprise your online life. As we have seen with Windows XP, businesses reluctant to upgrade are used to paying hefty support fees to Microsoft after the official support period. A similar process is likely to be seen with Windows 7 as well. Enterprises have to enroll for Extended Security Updates (ESUs) in order to receive patches for vulnerabilities that may allow the spread of malware such as ransomware. If for some reason you wish to cling onto Windows 7, here's a neat hack developed by My Digital Life (MDL) forums veteran abbodi1406 to trick Microsoft into bypassing eligibility checks for Extended Security Updates. Then, register yourself on the MDL forums. Download the tool and install it. After installing the tool, fire-up Windows Update and see if it downloads the KB4528069 test update. If it does, your PC is now eligible to receive Microsoft's ESU that are otherwise only available to business users. The author notes that unlike conventional updates, ESUs have to be installed live via Windows Update only and cannot be installed offline or integrated into your Windows image via DISM. Eligibility for ESU is checked only once during the first ESU download. Therefore, you can remove the tool once eligibility is confirmed and you are able to download the aforementioned test update. However, do remember that the tool is still a prototype and any change in Microsoft's policies towards servicing ESUs may break the hack so, you will have to keep an eye on the thread for any updates to the tool. Follow this thread on OUR FORUM.

'The consequences of not patching the vulnerability are severe and widespread,' says National Security Agency, which found the bug. Windows 10 users have been urged to update their PCs or risk having private messages read. The huge vulnerability has been patched in an update but any computer that has not received the latest version of the operating system is at risk. The bug was discovered by the National Security Agency which alerted Microsoft, rather than using it to spy on citizens. The company then fixed the bug for all of its users through the latest free update, part of its "Patch Tuesday" program of regular fixes, which seals up the exploit and stops hackers from intercepting communications. There is no indication that the exploit has been used by hackers, Microsoft said, in a note that gave credit to the NSA for finding it. Amit Yoran, CEO of security firm Tenable, said it is "exceptionally rare if not unprecedented" for the U.S. government to share its discovery of such a critical vulnerability with a company. Yoran, who was a founding director of the Department of Homeland Security's computer emergency readiness team, urged all organizations to prioritize patching their systems quickly. An advisory sent by the NSA on Tuesday said: "the consequences of not patching the vulnerability are severe and widespread." Microsoft said an attacker could exploit the vulnerability by spoofing a code-signing certificate so it looked like a file came from a trusted source. "The user would have no way of knowing the file was malicious because the digital signature would appear to be from a trusted provider," the company said. If successfully exploited, an attacker would have been able to conduct "man-in-the-middle attacks" and decrypt confidential information on user connections, the company said. Some computers will get the fix automatically if they have the automatic update option turned on. Others can get it manually by going to Windows Update in the computer's settings. Further details can be found on OUR FORUM.

Today is a really historic day for the Microsoft family. Almost 11 years after the launch of Windows 7, Microsoft has decided its time to pull the plug on support for one of their most popular Operating Systems ever. For younger people more familiar with Windows 10, it’s hard to explain just how good Windows 7 was at the time. It felt like the first really STABLE and really aesthetically pleasing Operating System that Microsoft offered. Though it’s hard to believe, for millions of people, logging in daily and seeing this image below brought a sense of real comfort to the day. Windows 7 was awesome. It was seen as a marked improvement over its predecessor Window Vista, adding new “fancy” features like the taskbar, Aero window management, file libraries, and much more. Even with all the warnings and the heads up, Windows 7 remains popular, even today. It runs on 26 percent of all PC’s which is a staggering number considering that Windows 10 has been out for 4+ years AND Microsoft offered (and still offers) Windows 10 as a FREE upgrade to customers. Microsoft has been notifying users about this day for a full year and they plan to step up the notifications. A full-screen notification will appear for Windows 7 users on Wednesday, warning users that their systems are now out of support. If you are a business or an academic institution, your users will be able to pay for extended security updates but, it’s going to be expensive. Obviously some discounts will be available with volume licensing but when you start to think about how the costs will add up, the question is naturally – why stay with Windows 7? As you can see from the prices above, a company with 100 or more employees will start to pay REAL money going forward but there are a lot of smaller companies that will stay on Windows 7 until the lights are turned off. The reason is, they have made the decision that it’s a business-critical tool for their business. It would shock you if you knew how many small hotels and businesses run proprietary Windows 7 software. For more facts and figures, please visit OUR FORUM.

The certainties that Windows 7 embodied have long gone, and that's no bad thing. In just a couple of days, Windows 7 finally goes out of support, which means no more bug fixes or updates for the millions who are still using the operating system, which first launched back in 2009. In many respects, the success of Windows 7 was the high water mark for the PC and for Windows. It has been much loved by PC users and admins in the past decade -- and not just for replacing its reviled predecessor, Windows Vista. It's had plenty of staying power, too: Windows 7 users largely (and probably rightly) ignored Windows 8 when it appeared, and only with Windows 10 maturing (and old hardware giving up) has migration from the reliable and comfortable Windows 7 finally gathered pace. But even with the clock ticking down towards the end of support, Windows 7 fans have proved stubborn. Although businesses have mostly made the move, there are still plenty of consumers hanging on to their old favorite. My colleague Ed Bott has done some smart number crunching and reckons there are about 1.2 billion Windows PCs in use around the world, with somewhere around a billion running Windows 10 and most of the rest running Windows 7. As he notes, that means somewhere near 200 million PCs could soon be running out-of-date software, and any new security holes are unlikely to get fixed (unless you are willing to pay for extended support). The Windows 7 era coincided with the high point of the PC era, and the end of Windows 7 marks the end of the PC era, too. When Windows 7 launched, the iPhone and its app store were around but were still novelties, while the iPad hadn't arrived yet. If you wanted to get work -- or pretty much anything -- done on a computer, you needed a PC. Just over a decade later, the picture is much more complicated. PC sales have been in decline for the last seven years; a slide which only ended with a small increase last year, largely because businesses needed to buy new PCs to run Windows 10, after bowing to the inevitable and upgrading. In many scenarios and use cases, the PC has been superseded by the smartphone, the tablet or digital assistants embodied in various other devices. And it's not just the PC -- Windows is no longer the defining product for Microsoft that it once was. That's not to say the PC is dead, of course: I'm typing on one now, and it will remain the primary device I use to do my job for the foreseeable future. Many office and knowledge workers will feel the same. But there are now plenty of other options: Follow the "End-of-Life" of Windows 7 on OUR FORUM.

 

Translate