Microsoft ended support for Internet Explorer (IE) on June 15, but researchers report that because of very tight IE-Windows integration, an IE Event Log now resides on all current Windows systems that has a set of permissions that could potentially unleash two vulnerabilities.
In a Tuesday blog post, Varonis researchers said the first vulnerability, LogCrusher, lets any domain user remotely crash the Event Log application of any Windows machine on a domain. The second vulnerability, OverLog — CVE-2022-37981 — causes a remote denial-of-service attack by filling the hard drive space on any Windows machine on a domain.
Microsoft has opted not to fully fix the LogCrusher vulnerability on Windows 10, say the researchers, but also noted that more recent operating systems are unaffected.
The researchers also pointed out that as of Microsoft's Oct. 11 Patch Tuesday update, the default permissions setting that had allowed non-administrative users access to the IE Event Log on remote machines has been restricted to local administrators, greatly reducing the potential for harm.
“While it addresses this particular set of IE Event Log exploits, there remains potential for other user-accessible application Event Logs to be similarly leveraged for attacks,” say the researchers, who recommend that all potentially vulnerable systems apply the Microsoft-provided patch and monitor any suspicious activity.
When an application reaches the end-of-support timeframe and the company opts to keep using the application (either by necessity or by choice) it accepts the premise that unfixed items will remain unfixed, said Matthew Fulmer, manager of cyber intelligence engineering at Deep Instinct. Fulmer said critical vulnerabilities could remain widely open to exploit (even it they are openly known to exist) and new vulnerabilities could be found/exploited with impunity purely because of a lack of updates to patch the vulnerabilities.
“This means you have to make a decision on how to move forward should something you are using become unsupported,” Fulmer said. “From an organizational perspective you would hope the vendor would give ample lead time for you to either test a new/upgraded version of the application or find a new application/vendor if the software you are using is being completely phased out."
John Bambenek, principal threat hunter at Netenrich, added that often when code “works,” it’s rarely — if ever — revisited. Bambenek said occasionally there may be refactoring, but once engineers get something working, they move on to the next feature or project.
“As projects become end-of-life, it retreats farther to the background,” Bambenek said. “The problem comes in with code or library reuse because something that worked for a 10-year old project may still work today, while that code base is still not-maintained. In a similar way to software supply chain issues, companies can create their own mini-supply chain issues by relying on code that’s no longer maintained.”