Status of Windows 7 and Windows Server 2008 R2 micropatches

mitja.kolsek -

This article presents the current status of vulnerabilities affecting Windows 7 and Windows Server 2008 R2 after their end of support on January 14, 2020, as well as the current status of our micropatches issued for these vulnerabilities. Note that in order for us to issue a micropatch for a vulnerability, we must consider it high-risk and have a test case ("POC", proof-of-concept) at hand to be able to reproduce and analyze the issue. Accordingly, only vulnerabilities currently eligible for micropatching are included in the table.    

The table below will be continually updated with status changes (e.g., if a vulnerability becomes exploited, if our risk assessment changes, when we issue a micropatch) and new eligible vulnerabilities as we become aware of them either through Microsoft's documentation or other sources (e.g., a vulnerability getting published or privately reported to us).

For any questions please contact support@0patch.com.

 
CVE ID Title Public RCE Exploited Comment 0patch status
CVE-2020-1472 Microsoft Netlogon Elevation of Privilege ("Zerologon") yes no no POC published by security researchers, very likely to be exploited

Micropatch issued on 9/17/2020 for Windows Server 2008 R2

CVE-2020-1380 Scripting Engine Memory Corruption yes yes yes POC published by security researchers, exploited in Operation PowerFall

Micropatch issued on 9/14/2020 for Windows 7 and Server 2008 R2

CVE-2020-1530 Windows Remote Access Phonebook Use-After-Free yes yes no POC published by security researcher

Micropatch issued on 9/9/2020 for Windows 7 and Server 2008 R2

(Note that the vulnerability exists in two places, each in its own DLLs, which is why each Windows platform has two micropatches.)

CVE-2020-1337 Windows Print Spooler Elevation of Privilege Vulnerability yes no no POC published by security researcher Micropatch issued on 9/1/2020 for Windows 7 and Server 2008 R2
CVE-2020-1113 Windows Task Scheduler Security Feature Bypass yes yes no POC published by security researcher Micropatch issued on 8/11/2020 for Windows Server 2008 R2
CVE-2020-1350 Windows DNS Server Remote Code Execution VulnerabilityWindows DNS Server Remote Code Execution Vulnerability yes yes no POC published by security researcher Micropatch issued on 7/17/2020 for Windows Server 2008 R2
CVE-2020-0662 Memory Corruption in Windows DHCP Message Processing yes yes no POC published by security researcher Micropatch issued on 7/16/2020 for Windows 7 and Server 2008 R2
CVE-2020-1299 LNK Remote Code Execution Vulnerability no yes no POC provided by security researcher Micropatch issued on 6/26/2020 for Windows 7 and Server 2008 R2
CVE-2020-1281 OLE Remote Code Execution Vulnerability yes yes no POC published by researcher Micropatch issued on 6/16/2020 for Windows 7 and Server 2008 R2
CVE-2020-1015 User-Mode Power Service Memory Corruption yes no no POC published by researcher Micropatch issued on 5/27/2020 for Windows 7 and Server 2008 R2
CVE-2020-1048 Print Spooler Elevation of Privilege ("PrintDemon") yes no yes POC published by researcher Micropatch issued on 5/20/2020 for Windows 7 and Server 2008 R2
CVE-2020-0687 Microsoft Graphics Remote Code Execution Vulnerability no yes no POC provided by security researcher Micropatch issued on 4/22/2020 for Windows 7 and Server 2008 R2
CVE-2020-0729 LNK Remote Code Execution Vulnerability yes yes no User must be tricked into opening a folder under attacker's control (e.g., from a remote share or a USB key). Stuxnet exploited a similar vulnerability. Micropatch issued on 4/3/2020 for Windows 7 and Server 2008 R2
CVE-2020-0938, CVE-2020-1020 Type 1 Font Parsing Remote Code Execution Vulnerability no yes yes Initially a 0day, fixed by Microsoft with April 2020 updates. Micropatch issued on 3/27/2020 for Windows 7 and Server 2008 R2 - this micropatch prevents the processing of Type 1 PostScript fonts
CVE-2020-0668 Windows Service Tracing Elevation of Privilege Vulnerability yes no no POC published by researcher Micropatch issued on 3/20/2020 for Windows 7 and Server 2008 R2
CVE-2020-0881 GDI+ Remote Code Execution Vulnerability no yes no POC obtained Micropatch issued on 3/19/2020 for Windows 7 and Server 2008 R2
CVE-2020-0683 Windows Installer Elevation of Privilege Vulnerability yes no no POC published by researcher Micropatch issued on 3/12/2020 for Windows 7 and Server 2008 R2
CVE-2020-0674 Scripting Engine Memory Corruption Vulnerability yes yes yes Found exploited in the wild in limited attacks; vendor initially provided a workaround; we created a micropatch to implement the same workaround without side effects

Micropatch issued on 2/19/2020 for Windows 7 / Server 2008 R2, and previous "temporary workaround" micropatch (402) revoked for these platforms

Micropatch issued on 2/21/2020 for Windows 10 v1903/v1909 and previous "temporary workaround" micropatch (407) revoked for these platforms

Note: this micropatch modifies the behavior of JScript function sort such that calling it with a callback function will behave as if it was called without one (i.e., sort will always perform a string-based sort). We assess this will affect a small number of applications, and not in a critical way.

("Temporary workaround" micropatches 403, 404, 405, 407 remain in place for other platforms.)

CVE-2020-0686 Windows Installer Elevation of Privilege Vulnerability yes no no POC published by researcher We determined that in order to exploit this issue, a vulnerable application which places critical files in attacker-writable folders must already be installed by administrator. We therefore do not consider this issue to significantly increase the (already present) risk caused by that application.
CVE-2020-0787 Windows Background Intelligent Transfer Service Elevation of Privilege Vulnerability yes no no POC published by researcher Analysis underway
CVE-2020-0673 Scripting Engine Memory Corruption Vulnerability no yes no Likely related to CVE-2020-0674 Trying to obtain a POC; meanwhile, our workaround micropatches for CVE-2020-0674 should prevent this vulnerability from being exploited
CVE-2020-0738 Media Foundation Memory Corruption Vulnerability no yes no Exploit confirmed against a sample app; exploitation against actual applications questionable  Analysis underway
             

 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.