[German]ACROS Security has released a micropatch for the CVE-2020-1015 vulnerability in the User-Mode Power Service of Windows 7 and Server 2008 R2 (without ESU license).
The vulnerability CVE-2020-1015
CVE-2020-1015 is an Elevation of Privilege vulnerability in the user mode power service. It occurs because the user-mode power service (UMPS) incorrectly handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated privileges. However, to exploit the vulnerability, a locally authenticated attacker would have to execute a specially crafted application.
Microsoft describes the vulnerability in this document and released security updates for Windows 7 through Windows 10 on April 14, 2020. However, users of Windows 7 SP1 and Windows Server 2008 R2 who do not have an ESU license will no longer receive the security updates released by Microsoft.
I wrote a blog post analyzing CVE-2020-1015 + basic PoC code. The post is available: https://t.co/gY1YO5p8E9 and the code: https://t.co/VRkTbxy4iP Thanks to @tiraniddo for writing great tools around RPC.
— 0xeb_bp (@0xeb_bp) May 13, 2020
A security researcher has analyzed this and pointed out details including a proof of concept in the above tweet.
0patch-Fix for Windows 7 SP1/Server 2008 R2
ACROS Security has developed a micropatch for the vulnerability CVE-2020-1015. Mitja Kolsek from ACROS Security informed me privately that the micropatch for Windows 7 SP1 and Windows Server 2008 R2 has been released. There is now also a message on Twitter.
Windows 7 and Server 2008 R2 users without Extended Security Updates have just received a micropatch for CVE-2020-1015, a memory corruption vulnerability in User-Mode Power Service that could allow a local attacker to execute arbitrary code as Local System. pic.twitter.com/0qEOTmVPRJ
— 0patch (@0patch) May 27, 2020
In further follow-up tweets ACROS Security gives further explanations about the vulnerability and the micropatch. This patch is available for subscribers of the Pro and Enterprise version. Hints on how the 0patch agent, which loads the micropatch into memory at runtime of an application, works can be found in the blog posts (e.g. here), which I have linked below.
Windows 7: Forcing February 2020 Security Updates – Part 1
Windows 7: Securing with the 0patch solution – Part 2
Windows 7/Server 2008/R2: 0patch delivers security patches after support ends
Project: Windows 7/Server 2008/R2 Life Extension & 0patch one month trial
0patch: Fix for Internet Explorer 0-day vulnerability CVE-2020-0674
0patch: Fix for Windows Installer flaw CVE-2020-0683
0patch fix for Windows GDI+ vulnerability CVE-2020-0881
0-day vulnerability in Windows Adobe Type Library
0patch fixes CVE-2020-0687 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1048 in Windows 7/Server 2008 R2