A Retrospective of The Last Couple of Months in our PatchFactory
by Stanka Salamun, the 0patch Team
The last couple of months were very exciting for our team. We were good Internet citizens – all together we produced, tested and distributed a few hundred bytes of code for more than 15 micropatches (feel free to sigh and whisper: “so tiny?” ), but every byte of that was a precise microsurgical cut with a significant impact to the security of your computer. You probably did not notice any of them, because we strive to make the healing process completely painless for you. It’s time for the world to realize that the terms “patching” and “instantly” finally belong together.
We fixed 4 (yes, four) 0days; right now one of them is still without an official vendor patch, and some were or are exploited in the wild. One bug that we fixed was initially rejected for patching by the original vendor and another one broke users’ networking. Some of these “micropatch stars” deserve a bit of additional attention.
Outrunning the attackers at a 0day in Microsoft Jet Database Engine
This one is still a genuine 0day without a CVE. The Zero Day Initiative published details of an unpatched remotely exploitable vulnerability in all Windows versions due to Microsoft missing their 120-day fixing window.
How long does it take for a vulnerability to be patched after a 0day has been dropped? Our answer is: ideally, one day. Challenge accepted: 7 hours after ZDI has published details on this unpatched remotely exploitable vulnerability in Jet Database Engine, we had a micropatch candidate on Windows 7, and within 24 hours our users had micropatches installed and applied on all supported Windows versions.
One of our goals with 0patch is to make vulnerability patching so fast that attackers won’t even manage to develop a reliable exploit for a public vulnerability before it is already patched on most users’ computers. What a goal, huh?
There is still a lot of buzz about this bug in the media – you can read about it in The Register, Softpedia and SecurityWeek. We also reveal all the dirty technical details in our blog post.
As of this writing, our micropatches for the remotely exploitable “0day” in Jet Database Engine are still THE ONLY patches available for this issue.
We Also Micropatched a Publicly Dropped 0day in Task Scheduler (CVE-2018-8440) Ahead of Microsoft
Being who you are can be a bad thing if you’re a system service. This is especially true if you are Windows Task Scheduler service that allows a local unprivileged user to change permissions of any file on the system, and you suffer from a local privilege escalation vulnerability. Bad luck for Task Scheduler: as it was a local bug that required the attacker to be locally logged, Microsoft didn’t feel the need to release an out-of-band update.
But we did. We created a micropatch and described it in detail. After that we were curious how Microsoft would approach the issue. It turned out their official patch was functionally identical to our micropatch, but we were able to be more agile and less intrusive using a different patching technology.
For this one we earned our appearance in Forbes as they said: “ACROS Security seems to have beaten Microsoft to the punch.”
Famous CVE-2018-8174 – a micropatch instead of the official update that probably broke your network
This was a critical remote code execution issue in Microsoft VBScript Engine, exploit for which has previously been detected in the wild. The bug became kind of famous because the official Microsoft update broke networking on some computers, prompting users to avoid its application. As Windows updates are “all or nothing” these days, the users can’t just remove a defective KB and enjoy the protection provided by other KBs issued on the same Patch Tuesday, so many of them were left vulnerable. For these users we created a single-instruction micropatch and you can read the whole story here.
CVE-2018-8414 – initially rejected for patching by MicrosoftThis vulnerability was reported to Microsoft but deemed non-critical, until attackers started exploiting it. So an official vendor patch was available, but we decided to create a micropatch anyway.
We wanted to prove that micropatches could implement the same logic as official updates, but without the fuss for the users and with minimum changes on the affected system. Many users and admins don’t / can’t / won’t / shan’t apply official updates or delay their application for all sorts of reasons. In all these cases micropatching is a reliable, targeted, instantly reversible alternative.
In our video you can view this micropatch in action.
As always, all of these micropatches were automatically deployed on all computers running 0patch Agent within 60 minutes from our publishing. So if you had 0patch Agent installed, you were among the lucky ones that were immediately protected.
Finally, a friendly reminder for those who aren’t 0patch users yet: our micropatches for the remotely exploitable “0day” in Jet Database Engine are still THE ONLY patches available for this issue. And they’re FREE! Everyone is welcome to download free 0patch Agent from https://0patch.com and register a free account to get these micropatches.
If (or when) the official fixes become available, just apply them fearlessly. Our micropatches will automatically stop getting applied because the cryptographic hashes of updated binaries will no longer match the ones associated with the micropatches. You don’t have to do anything else; 0patch micropatches are simply stepping aside when they are no longer your best option.