[German]ACROS Security has released a micro patch for the “Stuxnet-like” LNK RCE vulnerability CVE-2020-0729. This is micro patch is available via the 0patch agent for unpatched Windows 7 SP1 and Windows Server 2008 R2 systems.
The LNK RCE Vulnerability CVE-2020-0729
CVE-2020-0729 is a remote code execution vulnerability described by Microsoft in this advisory on February 11, 2020. The vulnerability exists in the processing of LNK files. An attacker could present the user with a removable drive or remote share where an LNK file is stored with a reference to an associated malicious binary file. If the user opens the .LNK file stored on the drive (or remote share) in Windows Explorer or in an application that parses the LNK file, the malicious binary file is executed on the target system.
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users with restricted accounts are less affected than people who work with administrative user rights. Microsoft considers the exploitation of the vulnerability in this advisory dated February 11, 2020 as ‘unlikely’. However, security updates for all still supported Windows versions, from Windows 7 SP1 to Windows 10 and Windows Server 2008 to Windows Server 2019, were released on February 2020 patchday.
A detailed analysis of the remote code execution vulnerability CVE-2020-0729 was disclosed by the Zero Day Initiative (ZDI) on March 26, 2020 in this article.
The 0patch Microfix for CVE-2020-0729
Microsoft provides the update for Windows 7 SP1 and Windows Server 2008/R2 only to enterprise customers who have an ESU license for those machines. However, a micro patch has been developed by ACROS Security for users who use the 0patch agent.
Our micropatch has 11 instructions in two patchlets, and is logically identical to Microsoft’s official patch. Patchlet 2 makes sure that allocated memory block is initialized, and patchlet 1 performs a pointer check for NULL. pic.twitter.com/oRSUJNzjqA
— 0patch (@0patch) April 3, 2020
This is available to subscribers of the Pro and Enterprise versions. Mitja Kolsek pointed this out to me in a private message a few hours ago. On Youtube there is this video, which shows the facts. Hints on how the 0patch agent, which loads the micro patches into memory at runtime of an application, works can be found in the blog posts (e.g. here), which I have linked below.
Windows 7: Forcing February 2020 Security Updates – Part 1
Windows 7: Securing with the 0patch solution – Part 2
Windows 7/Server 2008/R2: 0patch delivers security patches after support ends
Project: Windows 7/Server 2008/R2 Life Extension & 0patch one month trial
0patch: Fix for Internet Explorer 0-day vulnerability CVE-2020-0674
0patch: Fix for Windows Installer flaw CVE-2020-0683
0patch fix for Windows GDI+ vulnerability CVE-2020-0881
0-day vulnerability in Windows Adobe Type Library