"The Logging Dead: Internet Explorer Remnants Expose Windows to Exploits"

Researchers from Varonis Systems Inc.'s Threat Labs detailed a pair of vulnerabilities in the Windows operating system that can still be exploited, despite the release of a partial patch for one of them. The two vulnerabilities are related to the deep integration of Internet Explorer (IE) into the Windows operating system. Microsoft's support for IE ended in June, but the integration of specific features continues, resulting in the two vulnerabilities. An IE-specific Event Log remains on all current Windows operating systems. The two vulnerabilities are found in the IE-specific Event Log, which has a unique set of permissions. The first vulnerability, called LogCrusher, enables any domain user to remotely crash the Event Log application on any Windows machine in the domain. The second vulnerability, called OverLog, performs a remote Denial-of-Service (DoS) attack by taking up all available hard drive space on any Windows machine. Both exploits use Microsoft Event Log Remoting Protocol functions, which allow for remote manipulation of a machine's event logs. LogCrusher is a logic flaw in ElfClearELFW, an MS-EVEN function that allows administrators to remotely clear and backup event logs. ElfClearELFW does not like a pointer to NULL in the backup file name structure, which causes it to crash. The risk with LogCrusher is that many security controls rely on the Event Logs service running normally. Security control becomes blind in the absence of logs, and security control products that attach themselves to the service crash alongside it. Because alerts will not be triggered, an attacker could use any type of normally detected exploit or attack. This article continues to discuss the two Event Log vulnerabilities impacting Windows. 

SiliconANGLE reports "The Logging Dead: Internet Explorer Remnants Expose Windows to Exploits"