On Tuesday researchers at Varonis detailed two vulnerabilities stemming from legacy Internet Explorer integration still left behind in Windows impacting Windows Event Log. LogCrusher exploits a bug in the logic in handling remote event log interactions to crash Windows Event Log on the target machine, and OverLog abuses an oversight in permissions requirements that enables any user to create backups of event logs, allowing an attacker to completely fill the target machine’s hard drive, making it unusable. Microsoft’s latest patches have addressed these, fixing the permissions validation oversight, though Windows 10 remains vulnerable to LogCrusher attacks performed by an attacker with local administrator permissions.
Since both vulnerabilities were addressed in this month’s Patch Tuesday, companies should look to patching all their Windows devices as soon as their patch management procedure allows. Additionally, it can be a good idea to implement file system and service monitoring on workstations and servers. Tools such as osquery can do this; in general, such tools can empower Administrators to more effectively understand the activity occurring on the systems for which they are responsible.