[German]ACROS Security has released a micro-patch for its 0patch agent that fixes the remote execution vulnerability CVE-2020-0881 in the GDI+. The micro-fix is available for users of Windows 7 SP1 and Windows Server 2008 R2 who have not purchased a corresponding ESU package from Microsoft but have purchased ACROS Security Pro Support.
The Windows GDI+ vulnerability CVE-2020-0881
A remote execution vulnerability exists in the Windows GDI+ system, which has been assigned the identifier CVE-2020-0881 and has been publicly disclosed since March 10, 2020. The Common Vulnerabilities and Exposures database (CVE) contains the following details:
A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory, aka ‘GDI+ Remote Code Execution Vulnerability’. This CVE ID is unique from CVE-2020-0883.
The vulnerability therefore exists in the Windows Graphics Device Interface (GDI) and occurs due to incorrect handling of objects in memory. There are several ways in which an attacker could exploit the vulnerability:
- In a Web-based attack scenario, an attacker could host a specially crafted Web site that is designed to exploit the vulnerability and then trick users into viewing the Web site. An attacker would have no way to force users to view content controlled by the attacker. Instead, an attacker would have to make users act by making them open an e-mail attachment or click a link in an e-mail or instant message.
- In a file-sharing attack scenario, an attacker could deploy a specially crafted document file to exploit the vulnerability and then trick users into opening the document file.
An attacker could use the vulnerability to install programs, view, modify, or delete data, or create new accounts with full user privileges. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who work with administrative user rights.
Microsoft has released updates in March 2020
Microsoft classifies the vulnerability as critical and has published this security advisory on 10 March 2020. Security updates have been released for all versions of Windows, from Windows 7 SP1 to Windows Server 2008 R2 and Windows 10. The security update for these versions of Windows addresses the vulnerability by correcting the way in which Windows GDI handles objects in memory.
0patch provides micro-fix for CVE-2020-0881
However, users of Windows 7 SP1 and Windows Server 2008 R2 who do not have an ESU license will no longer receive the security updates that are released by Microsoft. Because the vulnerability is considered critical and because there was a proof of concept from a security researcher, the people at ACROS Security developed a micro-fix for the vulnerability.
We’ve just issued a micropatch for CVE-2020-0881 (https://t.co/MAt5sivS6Z), a memory corruption issue in Windows GDI+ that could be exploited for remote code execution. This PRO-only micropatch applies to Windows 7 and Server 2008 R2 without Extended Security Updates. pic.twitter.com/Sdml9PMP4r
— 0patch (@0patch) March 19, 2020
If you installed the 0patch agent and purchased a Pro or Enterprise subscription, Windows 7 SP1 or Windows Server 2008 R2 will protect the system against the vulnerability. The agent pulls the micro-fix and loads it into memory when Windows loads the GDI+ components. On Twitter you can still find some tweets from ACROS Security with hints.
Windows 7: Forcing February 2020 Security Updates – Part 1
Windows 7: Securing with the 0patch solution – Part 2 – Part 2
Windows 7/Server 2008/R2: 0patch delivers security patches after support ends
Project: Windows 7/Server 2008/R2 Life Extension & 0patch one month trial
0patch: Fix for Internet Explorer 0-day vulnerability CVE-2020-0674
0patch: Fix for Windows Installer flaw CVE-2020-0683