An unofficial patch is now available through ACROS Security’s 0patch service for a zero-day vulnerability identified earlier this month in Windows 7 and Windows Server 2008 R2.
The privilege escalation flaw, detailed by security researcher Clément Labro on November 12, exists because all users have write permissions for HKLMSYSTEMCurrentControlSetServicesDnscache and HKLMSYSTEMCurrentControlSetServicesRpcEptMapper, two keys that could be used for code execution.
Specifically, the researcher discovered that a local non-admin user could target any of the two keys to create a Performance subkey, then trigger performance monitoring to load an attacker DLL through the Local System WmiPrvSE.exe process, and execute code from it.
The Performance subkey specifies the name of the driver’s performance DLL and that of specific functions in that DLL. Because a user could add value entries to the subkey, a local user could abuse the issue to execute code with SYSTEM privileges.
The researcher, who has created proof-of-concept code targeting the bug, says the impact of this flaw is low, given the required local access, not to mention the fact that only older, no longer supported versions of Windows are affected.
Both Windows 7 and Windows Server 2008 R2 reached end of support on January 2020 and are currently in the Extended Security Updates (ESU) period, but will no longer receive security fixes past January 2023.
ACROS Security, however, has promised fixes for these platform iterations even after Microsoft stops providing support for them, and even for systems that are not enrolled in the ESU program.
As part of its 0patch service, the Slovenia-based company has now released an unofficial, free micropatch for the newly disclosed zero-day, to eliminate the use of this specific Performance key, thus preventing its abuse.
“This obviously breaks performance monitoring for the affected services but that’s a trade-off we believe is beneficial to our users. In case performance monitoring is needed for these services, the micropatch can always be temporarily disabled (again, no restart of the service, much less of the computer, is needed for that),” the company explains.
The micropatch, which can be viewed in action in this video, targets Windows 7 and Server 2008 R2 computers with and without ESU, which have the November 2020 or January 2020 updates, respectively.
Related: Unofficial Patches Released for Exploited Windows Font Processing Flaws
Related: Unofficial Patch Released for Recently Disclosed Internet Explorer Zero-Day
Related: 0patch Promises Support for Windows 7 Beyond January 2020

More from Ionut Arghire
- New York Attorney General Fines Vendor for Illegally Promoting Spyware
- 20 Million Users Impacted by Data Breach at Instant Checkmate, TruthFinder
- Florida Hospital Cancels Procedures, Diverts Patients Following Cyberattack
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Atlassian Warns of Critical Jira Service Management Vulnerability
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
- F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
Latest News
- Comcast Wants a Slice of the Enterprise Cybersecurity Business
- Critical Baicells Device Vulnerability Can Expose Telecoms Networks to Snooping
- New York Attorney General Fines Vendor for Illegally Promoting Spyware
- SecurityWeek Analysis: Over 450 Cybersecurity M&A Deals Announced in 2022
- 20 Million Users Impacted by Data Breach at Instant Checkmate, TruthFinder
- Cyber Insights 2023 | Zero Trust and Identity and Access Management
- Cyber Insights 2023 | The Coming of Web3
- European Police Arrest 42 After Cracking Covert App
