February 23, 2016
3 minute read
Upon its release, Windows 7 was hailed as "the most secure Windows ever"—true enough at the time, but its predecessor Windows Vista didn't exactly set a high bar security-wise. Nonetheless, the updated OS shipped with literally hundreds of security changes and additions, addressing the needs of a more security-conscious home and business user base with features like AppLocker, BitLocker Drive Encryption technology, and more. Despite these improvements, Windows 7 has its own set of critical vulnerabilities—here are the top 11 on the list and how to fix them.
10. Driver Improper Interaction with Windows Kernel Vulnerability
By using a stack-based buffer overflow in the RtlQueryRegistryValues function in win32k.sys, local users can gain privileges and bypass the User Account Control (UAC) feature through a specially crafted REG_BINARY value for a SystemDefaultEUDCFont registry key.
9. Windows Fax Services Cover Page Editor Vulnerability
If you're still faxing, here's another reason to leave that remnant of the 80's behind: a heap-based buffer overflow in the CDrawPoly::Serialize function in fxscover.exe in Microsoft Windows Fax Services Cover Page Editor 5.2 r2 could allow remote attackers to execute arbitrary code via a long record in a Fax Cover Page (.cov) file.
8. Win32k Improper Message Handling Vulnerability
Another kernal-mode vulnerability, this flaw also involves win32k.sys in the kernel-mode drivers. In this case, they do not properly handle window broadcast messages and could potentially allow local users to gain privileges through a specially crafted application.
7. Win32k.sys Elevation of Privilege Vulnerability
Windows 7's win32k.sys in kernel-mode drivers could enable local users to gain privileges through a specially crafted application.
6. Win32k Window Class Vulnerability
Windows 7's kernel-mode drivers improperly manage a window class, thereby allowing local users to gain privileges by creating a window and then (1) the SetWindowLongPtr function to modify the popup menu structure, or (2) the SwitchWndProc function with a switch window information pointer, which is not re-initialized when a WM_NCCREATE message is processed.
5. Windows MFC Document Title Updating Buffer Overflow Vulnerability
This vulnerability involves the potential for stack-based buffer overflows in the UpdateFrameTitleForDocument method in the CFrameWnd class in mfc42.dll in the Microsoft Foundation Class (MFC) Library. Exploitation by attackers involves arbitrary code executed by way of a long window title, created at the request of the application by the library.
4. GDI Access Violation Vulnerability
Primarily a Windows API for displaying graphics, the Graphics Device Interface (GDI) in win32k.sys in the kernel-mode drivers do not properly validate user-mode input. This could givr remote attackers the ability to execute arbitrary code or cause a memory corruption denial of service (DoS) with specially crafted data.
3. Windows OLE Remote Code Execution Vulnerability
Back in 2014, the so-called Sandworm made security headlines with its use of malicous Powerpoint files to install malware. Vulnerable Windows 7 installations could allow remote attackers to execute arbitrary code with a specially crafted OLE object in an Office document.
2. Insecure Library Loading Vulnerability
Windows Address Book (WAB) is a component that allows users to use a single list of contacts shared across multiple applications. Unfortunately, an untrusted search path vulnerability in wab.exe 6.00.2900.5512 in WAB could allow a local attacker to gain privileges via a Trojan horse wab32res.dll file in the current working directory.
1. Directory Traversal Elevation of Privilege Vulnerability
This directory traversal vulnerability in the Terminal Services component TSWbPrxy could allow a remote attacker to gain privileges with a specially crafted pathname in an executable file.
Microsoft ended mainstream support for Windows 7 back in January 2015, but as of this writing Windows 7 continues to command over 55% of the desktop OS market share. Don't let these vulnerabilities weaken your infrastructure's security posture—ScriptRock can scan your entire Windows environment for critical security flaws that most commonly lead to data breaches. Get started today, it's free for up to 10 nodes forever.