Security News > 2020 > November > Windows 7 and Server 2008 zero-day bug gets a free patch
An unpatched local privilege escalation vulnerability affecting all Windows 7 and Server 2008 R2 devices received a free and temporary fix today through the 0patch platform.
0patch's free micropatch is targeting Windows 7 and Server 2008 R2 computers without ESU and those with ESU. At the moment, only small-and-midsize businesses or organizations with volume-licensing agreements can get an ESU license until January 2023.
The LPE vulnerability stems from the misconfiguration of two service registry keys and it enables local attackers to elevate their privileges on any fully patched Windows 7 and Server 2008 R2 system.
"At this point, if you are still using Windows 7 / Server 2008 R2 without isolating these machines properly in the network first, then preventing an attacker from getting SYSTEM privileges is probably the least of your worries," Labro said.
0patch micropatches are code sent through the 0patch platform to Windows clients to patch security issues in real-time and applied to running processes without requiring a system restart.
News URL
Related news
- New Windows zero-day leaks NTLM hashes, gets unofficial patch (source)
- Microsoft March 2025 Patch Tuesday fixes 7 zero-days, 57 flaws (source)
- Choose your own Patch Tuesday adventure: Start with six zero day fixes, or six critical flaws (source)
- Apple Releases Patch for WebKit Zero-Day Vulnerability Exploited in Targeted Attacks (source)
- Microsoft patches Windows Kernel zero-day exploited since 2023 (source)
- Patch Tuesday: Microsoft Fixes 57 Security Flaws – Including Active Zero-Days (source)
- Unpatched Windows Zero-Day Flaw Exploited by 11 State-Sponsored Threat Groups Since 2017 (source)
- New Windows zero-day exploited by 11 state hacking groups since 2017 (source)
- APTs have been using zero-day Windows shortcut exploit for eight years (ZDI-CAN-25373) (source)
- Veeam RCE bug lets domain users hack backup servers, patch now (source)