0patch fixes Windows Installer 0-day Local Privilege Escalation vulnerability

win7[German]ACROS Security has released a micropatch for a Local Privilege Escalation 0-day vulnerability in Windows Installer for its 0patch agent. Here is some information on what is involved.


The Local Privilege Escalation 0-day in the Windows Installer

On December 26, security researcher Abdelhamid Naceri published a blog post detailing a number of 0-day vulnerabilities in Windows Defender, Windows Setup, In Avast and so on. One of the 0-day vulnerabilities includes a possibility for Local Privilege Escalation attacks via Windows Installer.

Through the vulnerability, the security researcher managed to exploit the Microsoft patch for the CVE-2020-16902 vulnerability and other vulnerabilities. The leverage for attacks: When installing an MSI package, the Windows Installer creates a rollback script in case the installation fails at some point and all changes made up to that point would have to be reverted.

If a local attacker who is not an administrator manages to replace this rollback script with a custom script that "flips" a value in the system registry to point to the attacker's executable, it can be used for local privilege escalation. Abdelhamid was able to create a proof-of-concept that allows exploitation of this vulnerability. The details are described in Abdelhamid Naceri's blog post, as well as in this blog post from ACROS Security. There is no patch available yet from Microsoft to close the vulnerability.  Blogbeitrag, sowie in diesem Blog-Beitrag von ACROS Security beschrieben.

0patch fix available

Mitja Kolsek alerted me on Twitterthat ACROS Security is providing a micropatch for all 0patch users.

Windows Installer 0-day LPE vulnerability
(0patch Fix for LPE vulnerability)


Mitja Kolsek has published some more details about this micropatch and the vulnerability in this blog post.  This micropatch is available for all 0patch users (so also for the Free license) as of now and is already applied to all online computers with 0patch Agent. As always, no computer restart is required and users' work is not interrupted.

For information on how the 0patch Agent works, which loads the micro-patches into memory at runtime of an application, please refer to the blog posts (e.g. here) I have linked below.

Similar articles:
Windows 7: Forcing February 2020 Security Updates – Part 1
Windows 7: Securing with the 0patch solution – Part 2
0patch supports Office 2010 with micro patches after the end of support (EOL)
Windows 7/Server 2008/R2: 0patch delivers security patches after support ends
Project: Windows 7/Server 2008/R2 Life Extension & 0patch one month trial
0patch: Fix for Internet Explorer 0-day vulnerability CVE-2020-0674
0patch: Fix for Windows Installer flaw CVE-2020-0683
0patch fix for Windows GDI+ vulnerability CVE-2020-0881
0-day vulnerability in Windows Adobe Type Library
0patch fixes CVE-2020-0687 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1048 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1015 in Windows 7/Server 2008 R2
0patch for 0-day RCE vulnerability in Zoom for Windows
Windows Server 2008 R2: 0patch fixes SIGRed vulnerability
0patch fixes CVE-2020-1113 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1337 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1530 in Windows 7/Server 2008 R2
0patch fixes Zerologon (CVE-2020-1472) vulnerability in Windows Server 2008 R2
0patch fixes CVE-2020-1062 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1300 in Windows 7/Server 2008 R2
0patch fixes 0-day vulnerability in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1013 in Windows 7/Server 2008 R2
0patch fixes a Local Privilege Escalation 0-day in Sysinternals PsExec

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *