New Windows Event Log zero-Day Flaw Gets Unofficial Patches

Temporary patches have been released to address a new Windows-zero flaw dubbed EventLogCrasher that lets attackers remotely crash the Event Log service on devices within the same Windows domain. According to security researcher Florian, who discovered and reported the flaw, Microsoft tagged the flaw as “not meeting servicing requirements” and said it's a duplicate of a bug that was disclosed in 2022 (no further details were provided). To bring light to the issue, last week Florian released a proof-of-concept, detailing the ‘EventLogCrasher’ Oday,

“To exploit the zero-day in default Windows Firewall configurations, attackers need network connectivity to the target device and any valid credentials (even with low privileges). Therefore, they can always crash the Event Log service locally and on all Windows computers in the same Windows domain, including domain controllers, which will let them ensure that their malicious activity will no longer be recorded in the Windows Event Log. Once the Event Log service crashes, Security Information and Event Management (SIEM) and Intrusion Detection Systems (IDS) will be directly impacted as they can no longer ingest new events to trigger security alerts” (Bleeping Computer, 2024).

Security Officer Comments:
According to 0patch, which released the micro patches for the zero-day flaw, a low-privileged attacker can crash the Event Log service both on the local machine and on any other Windows computer in the network they can authenticate to. With a service downtime, this could enable plenty of time for the actor to conduct further attacks without being noticed, as detection mechanisms in place ingesting Windows logs will be blind.

Suggested Corrections:
This zero-day vulnerability affects all versions of Windows, from Windows 7 up to the latest Windows 11 and from Server 2008 R2 to Server 2022. The 0patch micropatching service released unofficial patches for most affected Windows versions on Wednesday, available for free until Microsoft releases official security updates to address the zero-day bug. To install the necessary patches on your Windows system, create a 0patch account and install the 0patch agent on the device. Once you've launched the agent, the micropatch will be applied automatically without requiring a system restart, provided there is no custom patching policy in place to block it.