Security researcher accidentally discovers Windows 7 and Windows Server 2008 zero-day

“Oh-oh” as the Teletubbies might say. There’s no official patch available for this so you might want to investigate this third-party patch if you use either of these unsupported platforms…:

[…] But while most security researchers report severe security issues like these to Microsoft in private, when they find them, in Labro’s case, this was too late.

Labro said he discovered the zero-day after he released an update to PrivescCheck, a tool to check common Windows security misconfigurations that can be abused by malware for privilege escalation.

The update, released last month, added support for a new set of checks for privilege escalation techniques.

Labro said he didn’t know the new checks were highlighting a new and unpatched privilege escalation method until he began investigating a series of alerts appearing on older systems like Windows 7, days after the release.

By that time, it was already too late for the researcher to report the issue to Microsoft in private, and the researcher chose to blog about the new method on his personal site instead.


Original Article