A security researcher has accidentally discovered a zero-day vulnerability that impacts the Windows 7 and Windows Server 2008 R2 operating systems while working on an update to a Windows security tool.
It’s the registry keys for the DNSCache and RPC Endpoint Mapper that are the culprit. These services are present in all the Windows installations:
- HKLMSYSTEMCurrentControlSetServicesRpcEptMapper
- HKLMSYSTEMCurrentControlSetServicesDnscache
If an attacker has access to a vulnerable system, they can modify certain registry keys to activate a sub-key that is used by Windows Performance Monitoring. These subkeys are used to monitor the performance of the applications on your system. Because of their monitoring role they allow developers to load their own DLL files to track performance using custom tools. But this leaves a door open for bad actors.
While on recent versions of Windows these DLLs are usually restricted and loaded with limited privileges, this is not the case for older windows versions such as Windows 7 and Windows Server 2008. With these outdated operating systems, it is still possible to load custom DLLs that run with SYSTEM-level privileges, causing this zero-day vulnerability. You can read the full story here.
This vulnerability serves as a reminder that you should be aware of any remaining Windows 7 computers in your organization. At Lansweeper, we have seen security threats coming from outdated Operating Systems, unpatched vulnerabilities, and so on. The longer your company waits with updating their systems, the bigger the risk becomes of a potentially costly attack.
Find All Windows 7 & Windows Server 2008/2008R2 Installations in Your Network
Windows Server 2008 and Windows Server 2008 R2 are both no longer supported along with Windows 7 on 14 January 2020. To ensure that your servers are not a security risk, it is highly recommended to upgrade to a newer version of Windows server.
Lansweeper provides a convenient overview of all your Windows 2008 Server & Windows 7 installations along with a color-coded indication of whether an action is required or not. You can find more information on auditing your network for windows 7 EOL in this dedicated blog post. These reports let you plan and monitor your progress in migrating your old Windows 7 and Windows Server 2008 installations to newer, supported Windows operating systems. We recommend to run the following reports: