[German]The security team of ACROS Security around founder Mitja Kolsek has just developed a micro patch to close a remote code execution vulnerability in the ms-officecmd handler of Windows and released it for customers with a 0patch PRO or Enterprise license. There is no CVE for this vulnerability yet. Here is some information about it.
The ms-officecmd RCE vulnerability
In the blog post Microsoft Teams Bugs: Blocks Emergency calls, unpatched phishing vulnerability since March 2021, I had reported in passing that Positive Security in Windows 10 had stumbled upon a code execution vulnerability in Windows 10 via IE11/Edge Legacy and MS Teams. It was a critical vulnerability in the handling of the "ms-officecmd" URL handler in Windows.
This vulnerability allowed a remote attacker to execute arbitrary code on the user's computer if the user visited a malicious web page with a browser or opened a link. The link could be exposed to the user in documents or messaging applications.
Positive Security has reported this flaw to Microsoft. Redmond reportedly fixed this vulnerability without assigning a CVE ID (because "changes to web pages, downloads through Defender or through the Store are not normally assigned a CVE ID in the same way").
The fix was not distributed via Windows Update but via the Microsoft Store. A prerequisite for the distribution was that the AppX Deployment Service was running. This service (AppXSVC) is activated by default in Windows 10 and is started on demand. However, a search for "AppXSVC activate" yields a few hits, so it's safe to assume that the service was often turned off (because it can cause high CPU usage). Also, in a typical corporate environment, there is no need to allow the Windows Store, so it is blocked via Group Policy. Mitja Kolsek has explained the details in more detail in this blog post.
The 0Patch solution for the ms-officecmd RCE vulnerability.
The team at ACROS Security, which has been providing the 0Patch solution for years, analyzed the RPE vulnerability and provided a micropatch to render the vulnerability harmless. Mitja Kolsek drew attention to this solution on Twitter.
Details are described in more detail in this December 23, 2021 blog post from 0patch. The 0patch micropatches are available to customers with a 0patch PRO or Enterprise license. Notes on how the 0patch agent works, which loads the micropatches into memory at an application's runtime, can be found in the blog posts (such as here).
0patch: Fix for Internet Explorer 0-day vulnerability CVE-2020-0674
0patch: Fix for Windows Installer flaw CVE-2020-0683
0patch fix for Windows GDI+ vulnerability CVE-2020-0881
0-day vulnerability in Windows Adobe Type Library
0patch fixes CVE-2020-0687 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1048 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1015 in Windows 7/Server 2008 R2
0patch for 0-day RCE vulnerability in Zoom for Windows
Windows Server 2008 R2: 0patch fixes SIGRed vulnerability
0patch fixes CVE-2020-1113 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1337 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1530 in Windows 7/Server 2008 R2
0patch fixes Zerologon (CVE-2020-1472) vulnerability in Windows Server 2008 R2
0patch fixes CVE-2020-1062 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1300 in Windows 7/Server 2008 R2
0patch fixes 0-day vulnerability in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1013 in Windows 7/Server 2008 R2
0patch fixes a Local Privilege Escalation 0-day in Sysinternals PsExec
0patch fixes Windows Installer 0-day Local Privilege Escalation vulnerability
0patch fixes 0-day in Internet Explorer
0patch fixes CVE-2021-26877 in the DNS server of Windows Server 2008 R2
0patch fixes Windows Installer LPE-Bug (CVE-2021-26415)
0Patch provides support for Windows 10 version 1809 after EOL
Windows 10 V180x: 0Patch fixes IE vulnerability CVE-2021-31959
0Patch Micropatches for PrintNightmare Vulnerability (CVE-2021-34527)
0patch fix for new Windows PrintNightmare 0-day vulnerability (Aug. 5, 2021)
0patch fix for Windows PetitPotam 0-day vulnerability (Aug. 6, 2021)
2nd 0patch fix for Windows PetitPotam 0-day vulnerability (Aug. 19, 2021)
Windows 10: 0patch fix for MSHTML vulnerability (CVE-2021-40444)
0patch fixes LPE Vulnerability (CVE-2021-34484) in Windows User Profile Service
0patch fixes LPE vulnerability (CVE-2021-24084) in Mobile Device Management Service
0patch fixes InstallerTakeOver LPE 0-day vulnerability in Windows
Cookies helps to fund this blog: Cookie settings