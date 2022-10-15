Windows is not “full of bugs” as extremists like to think for whom “Linux is better” at any cost, but being the most popular operating system, the bad guys literally do everything to find the vulnerabilities.

This is the case with correction last month of this problemprior to the “Patch Tuesday” of these weeks, but still noteworthy.

What was the corrected Windows 0-day last month?

Details have emerged about a now corrected security flaw in the Common Log File System (CLFS, a fairly well-known .sys file in the industry) of Windows that could be exploited by an attacker to obtain high-level permissions (such as administrator) on compromised computers.

With this 0-day having the code CVE-2022-37969 (CVSS score: 7.8), the problem was addressed by Microsoft with updates of the Patch Tuesday of September 2022, also noting that a series of problems of various natures.

“An attacker must already have access and the ability to execute code on the target system“, He argues Microsoft in a notice. “This technique does not allow remote code execution in cases where the attacker does not already have such access on the target system“.

The Redmond house has also credited researchers from CrowdStrikeDBAPPSecurity, Mandiant And Zscaler for reporting the vulnerability without delving into further details about the nature of the attacks.

Now, the research team at Zscaler ThreatLabz has disclosed that you have found an exploit in the wild (note: an exploit in the wild, according to Kasperskyis very dangerous software running unbeknownst to ordinary users’ computers) for the then 0-day on September 2, 2022.

“The cause of the vulnerability is due to the lack of strict boundary checking in the cbSymbolZone field in the base record header for the base log file (BLF) in CLFS.sys“Said the cybersecurity company in a root cause analysis of the problem.

“If the cbSymbolZone field is set to an invalid offset, a writing out of bounds [un overflow, per gli addetti ai lavori] at the invalid offset.“

The CLFS (represented by the .sys file of the same name on Windows) is a generic registration service which can be used by software applications running in both user mode and kernel mode to log data and events and optimize log access.

Some of the use cases associated with CLFS include online transaction processing (OLTP), network event logging, compliance checks, and threat analysis.

According to Zscaler, the vulnerability is rooted in a block of metadata called a “base record” which is present in a base log file, which is generated when a log file it is created using the CreateLogFile () function.

“[il Record di base] contains the symbol tables which store information about the various clients, containers and security contexts associated with the base log file, as well as accounting information about these [file]“, according to Alex Ionescuchief engineer of Crowdstrike.

As a result, successfully exploiting the CVE-2022-37969 bug through a specially crafted base log file could cause memory corruption and, by extension, lead to a system crash (also known as blue screen of death or BSoD) reliably; in short, not so much “0-day” this problem of blue screens.

That said, a system crash is just one of the results of exploiting this vulnerability, as it could also be used as a weapon to gain high-level (administrator) access privileges.

Zscaler has also made proof-of-concept (PoC) instructions available to activate the security flaw, making it essential that Windows users upgrade to the latest version to mitigate potential cyber threats.

Don’t panic in any case: the 0-day problem has been solved very well.