HackAndPwn
Security & Vulnerability Researcher / Professional Penetration Tester


  • Windows 7 ESU Patching

    With the May 2020 Windows 7 updates, I went on a mission to determine the minimum set of updates needed to enable all features within Windows 7, including optional hotfixes, and to have the most up-to-date installation possible. After extensive testing, I concluded that 35 updates not offered through Windows Update would need to be installed to reach this objective. The following sections describe the updates required and provide links to each.


  • Windows 7 ESU Analysis Updates

    The original Windows 7 ESU Analysis can be found here. With the September 2020 Cumulative Update, the technique as described no longer works to install this update. However, only slight modifications need to be made in order for this new update to also install.


  • CVE-2020-7323

    Authentication Protection Bypass vulnerability in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 September 2020 Update allows physical local users to bypass the Windows lock screen via triggering certain detection events while the computer screen is locked and the McTray.exe is running with elevated privileges. This issue is timing dependent and requires physical access to the machine.


  • Windows 7 ESU Analysis

    The Windows 7 free security update window closed to consumers in January of 2020. However, due to the overwhelming popularity of the OS, Microsoft began offering Extended Security Updates (ESU) for the Operating System. The first update preparing a Windows 7 system for this next phase of patches is KB4528069. This post dissects the KB4528069 update to understand how ESUs differ from standard Windows 7 updates.


  • CVE-2019-3585

    Privilege Escalation vulnerability in Microsoft Windows client (McTray.exe) in McAfee VirusScan Enterprise (VSE) 8.8 prior to Patch 14 may allow local users to interact with the On-Access Scan Messages - Threat Alert Window with elevated privileges via running McAfee Tray with elevated privileges.


  • CVE-2019-3588

    Privilege Escalation vulnerability in Microsoft Windows client (McTray.exe) in McAfee VirusScan Enterprise (VSE) 8.8 prior to Patch 14 may allow unauthorized users to interact with the On-Access Scan Messages - Threat Alert Window when the Windows Login Screen is locked.


  • CVE-2020-11443

    The Zoom IT installer for Windows (ZoomInstallerFull.msi) prior to version 4.6.10 deletes files located in %APPDATA%\Zoom before installing an updated version of the client. Standard users are able to write to this directory, and can write links to other directories on the machine. As the installer runs with SYSTEM privileges and follows these links, a user can cause the installer to delete files otherwise not deletable by the user.


  • CVE-2020-7255

    Privilege escalation vulnerability in the administrative user interface in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 February 2020 Update allows local users to gain elevated privileges via a configuration error.


  • CVE-2020-7274

    Privilege escalation vulnerability in McTray.exe in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 April 2020 Update allows local users to spawn unrelated processes with elevated privileges via the system administrator granting McTray.exe elevated privileges.


  • CVE-2019-3637

    Privilege Escalation vulnerability in McAfee FRP 5.x earlier than 5.1.0.209 allows local users to gain elevated privileges via running McAfee Tray with elevated privileges.


  • CVE-2019-3621

    Authentication protection bypass vulnerability in McAfee Data Loss Prevention Endpoint (DLP Endpoint) for Windows 11.x prior to 11.3.0 allows a physical local user to bypass the Windows lock screen via DLP Endpoint processes being killed just prior to the screen being locked or when the screen is locked. The attacker requires physical access to the machine.


  • CVE-2018-10959

    Mitre and NVD have recently made this 7.5 high severity CVE public, describing the vulnerability as an Untrusted Search Path vulnerability, exploitable by modifying environment variables to trigger automatic elevation of an attacker’s process launch.


  • CVE-2018-6689

    Authentication bypass vulnerability in McAfee Data Loss Prevention Endpoint (DLP Endpoint) 10.0.x earlier than 10.0.510, and 11.0.x earlier than 11.0.600 allows attackers to bypass local security protection via specific conditions.


  • CVE-2018-6674

    When the process McTray.exe runs with elevated privileges, VSE might spawn a process inheriting the parent’s privileges. This issue exposes the system to be manipulated by an attacker.


buy me a coffee