Temporary micropatch available for zero-day Windows exploit

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
A publicly disclosed Windows zero-day vulnerability could allow attackers to take full control of systems once they compromise a low-privilege account. Here's a fix.

Microsoft has left two publicly known vulnerabilities unpatched in Windows this month, but researchers have stepped in and created temporary patches that can be easily applied to protect systems until an official fix becomes available.

During the last two weeks of December, a security enthusiast who uses the online handle SandboxEscaper released details and proof-of-concept exploit code for two privilege escalation vulnerabilities in Windows. Researchers from ACROS Security have released a temporary "micropatch" for one of them through 0patch, a service that provides in-memory binary patching for zero-day flaws, and they are currently testing a patch for the secondary issue as well.
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
Important question for 0patch is, is it compatible with Windows update ? Eg when Microsoft puts a fix via update, what happens to those who’ve already patched via 0patch , are they excluded from Windows updates ?
Q: What will happen on Patch Tuesday?

When Microsoft makes their official fix available, you simply apply it as you would if you had never heard of 0patch. Applying it will automatically obsolete this micropatch on your computer as the update will replace a vulnerable executable with a fixed one, thereby changing its cryptographic hash. Since our micropatches are associated with specific hashes, this will make the micropatch inapplicable without intervention on either your end or ours.
Source: 0patch Blog
 

notabot

Level 15
Verified
Oct 31, 2018
703
Q: What will happen on Patch Tuesday?

When Microsoft makes their official fix available, you simply apply it as you would if you had never heard of 0patch. Applying it will automatically obsolete this micropatch on your computer as the update will replace a vulnerable executable with a fixed one, thereby changing its cryptographic hash. Since our micropatches are associated with specific hashes, this will make the micropatch inapplicable without intervention on either your end or ours.
Source: 0patch Blog

That’s the claim :) has anyone tried it though ? Does it also play well with the various Windows integrity mechanisms ?
 

notabot

Level 15
Verified
Oct 31, 2018
703
It's been running great for me for months and months and hasn't affected Windows updates at all. I've had absolutely no issues with 0 patch at all.

Thanks !
Do you have memory integrity , under device security -> core isolation, turned on ? ( I’d imagine that is a potential source of conflict )

Also what happens when you reboot ? According to the articles all patching is in-memory and nothing persists ( does eg 0patch just patch it again ?)
 

Vasudev

Level 33
Verified
Nov 8, 2014
2,224
Important question for 0patch is, is it compatible with Windows update ? Eg when Microsoft puts a fix via update, what happens to those who’ve already patched via 0patch , are they excluded from Windows updates ?

Once MSFT have updated the micro-patches gets dis-engaged. I refrained from installing latest w10 update twice and 0patch patched few exploits and once I updated to latest build 556 for v1803 the patches were disabled and currently only the zero day exploit mentioned in this thread is active!
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
Found the answer why 0patch wasn't working for me right in the linked article:
"Our micropatch is for Windows 10 version 1803 64-bit," Mitja Kolsek, CEO of ACROS Security and co-founder of the 0patch.com service, says. "We often make a micropatch just for one or several most popular versions and wait for users to express interest in porting to other versions as needed."
I'm on 1809...
 

notabot

Level 15
Verified
Oct 31, 2018
703
Once MSFT have updated the micro-patches gets dis-engaged. I refrained from installing latest w10 update twice and 0patch patched few exploits and once I updated to latest build 556 for v1803 the patches were disabled and currently only the zero day exploit mentioned in this thread is active!

Can’t the micro patches be reapplied for your build ?
 

notabot

Level 15
Verified
Oct 31, 2018
703
Wouldn't a good security suite by a reputable vendor i e Kaspersky, Bitdefender, or Norton protect a system against this ZD exploit without patching?

There is exploit mitigation in most suites including Windows Defender but it’s not guaranteed to catch all exploits. Patching is still a must

Also in practice anti exploit would only cover user space exploits, kernel ones can only be patched in practice ( there’s GRSecurity for Linux that’s meant to be about prevention but adoption is low so there’s no way to evaluate how well it has worked ) . patches are released for both kernel and user space exploits though

If I were to choose between patching to latest without any security software or high tier security software and no patching I’d choose patching.
For moderate to low risk activities ( no pirated software, conservative browsing , only open emails from folks you know and open attachments only when you expect one ), a fully patched system is quite secure.
 
Last edited:
  • Like
Reactions: Weebarra

Vasudev

Level 33
Verified
Nov 8, 2014
2,224
Thanks , it wasn’t clear to me the built upgrades contained the said patches.

Do you use the built-in Windows memory integrity ? Does it play well with 0patch?
Memory integrity slows down the PC performance and might not play nice with AV and micro-patching utilities.
If you have a Threadripper CPU and you want to cut its performance down by 50% use memory integrity.
 
  • Like
Reactions: Weebarra

notabot

Level 15
Verified
Oct 31, 2018
703
Memory integrity slows down the PC performance and might not play nice with AV and micro-patching utilities.
If you have a Threadripper CPU and you want to cut its performance down by 50% use memory integrity.

Depends on your needs, for my new machine performance degradation doesn’t impact my work so I’ve enabled it. On my older 5 year old machine, it was killing the machine so I disabled it.

To the extent it doesn’t annoy someone in their workflows there’s no reason to turn it off
 

Vasudev

Level 33
Verified
Nov 8, 2014
2,224
Depends on your needs, for my new machine performance degradation doesn’t impact my work so I’ve enabled it. On my older 5 year old machine, it was killing the machine so I disabled it.

To the extent it doesn’t annoy someone in their workflows there’s no reason to turn it off
If your intel cpu is 8th gen HQ or newer gen you won't feel a difference because these memory integrity protections are there along with NG spectre fixes so you are getting better security w/o a compromise in speed.
I always have old PCs so it kills my PCs.
 
  • Like
Reactions: Weebarra

DeepWeb

Level 25
Verified
Top Poster
Well-known
Jul 1, 2017
1,396
I just have a big distrust with 3rd party patching. You are entrusting a third party to mess with your Windows system files? I just think it is risky. It's better to wait for the Microsoft patch. It's very very unlikely you will run into this vulnerability in the real world.
 

Vasudev

Level 33
Verified
Nov 8, 2014
2,224
I just have a big distrust with 3rd party patching. You are entrusting a third party to mess with your Windows system files? I just think it is risky. It's better to wait for the Microsoft patch. It's very very unlikely you will run into this vulnerability in the real world.
They are just like hooks that are placed when host PC is online/running and patches are taken out of memory once shutdown. These are called micro-patches for a reason, they are small and don't need reboot and plays safe with all apps as it only patches the affected product or software.
 
  • Like
Reactions: Weebarra

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top