Third-Party Vendor Issues Temporary Patch For Windows Vulnerability

An anonymous reader writes: "A vulnerability discovered by Google Project Zero security researchers and left without a patch by Microsoft received a temporary fix from third-party security vendor ACROS Security," according to Bleeping Computer. Microsoft is set to officially patch the flaw on March 15, after it previously pushed back February's Patch Tuesday for next month.

"According to Google researchers, attackers could leverage malformed EMF files to expose data found in the victim's memory, which can then be leveraged to bypass ASLR protection and execute code on the user's computer... ACROS Security has issued a temporary patch that can be applied to Windows computers via its product, called 0patch, a platform that applies fixes for zero-days, unpatched vulnerabilities, end-of-life and unsupported products, for legacy OSes, vulnerable 3rd party components, and customized software." When Microsoft issues an official update, the temporary patch will stop working immediately.

Patch Not Needed

APK's HOSTS file will protect me.

Re: Patch Not Needed

[dougdonovan]

gosh windows doesnt need a patch but it is issued anyway why am i responding to this cause i have nothing else better to do than to sit in front of monitor and stare at it.

Why do Microsoft push back a critical patch?

did they get a court order from the NSA, because they need time to exploit it? Apple has done the same in the past, waiting up to 10 months fixing flaws that were critical, but had trivial solutions.

Re:Why do Microsoft push back a critical patch?

Because they need to make sure the patch won't screw up something else?

Or at least, that's one of the excuses they give.

Re:Why do Microsoft push back a critical patch?

[tlhIngan]

did they get a court order from the NSA, because they need time to exploit it? Apple has done the same in the past, waiting up to 10 months fixing flaws that were critical, but had trivial solutions.

Because patches need to be tested to make sure they don't break things. Trivial solutions may introduce side effects that break other things unexpectedly.

For an example, take Linux. You'd think everyone who uses Linux would install every update immediately (and there are lots that come out daily). But at work, we disable updates, because you know what happens? Some update happens and then your installation is broken. Sure it boots, sure you can log in. But all of a sudden the build breaks because a minor tool stopped working. And now you're down a developer for a week who has to figure out why they can't compile their code anymore.

And that's Linux with the free patching policy where updates are applied willy-nilly. Sure the bugs are fixed, but no one does a bigger integration test to make sure it didn't break something else. (And yes, we occasionally run into the whole "X stops working" style bugs as well. But at least for those we give the user a replacement hard drive with a clean Linux install. They keep the old drive to migrate their user data and then it's returned and wiped. And if they update and screw up the install again, we make a note to not go further than that via updates.)

So we simply disable all updates leaving all Linux installs vulnerable.

Of course, Apple and Microsoft don't have such luxuries so even a 5 minute fix needs extensive regression testing and even sometimes full system tests to make only reasonably sure that it won't break much. (There will always be someone with a strange configuration that breaks.)

Open source helps a little bit, only because if it's a particularly bad system break there's going to be a lot of people debugging it for you.so the original developer gets a lot of (free) help.

Debugging and fixing bugs, especially deep bugs in core systems like kernel or graphics systems is just a tiny part of the entire development time. Most of it is spent in testing because an error in the fix will propagate into the strangest of bugs in the higher levels of the stack.

EMF?

Why the fuck does a browser load an EMF file?

How about locking it down to js, css, html, png, gif, and jpg?

What's next? Direct in-browser rendering and execution of exe, com , bat, pif, reg, and dll?

Re:EMF?

They can get rid of the JavaScript, too.

Re:EMF?

What's next? Direct in-browser rendering and execution of exe, com , bat, pif, reg, and dll?

That was called ActiveX.

Re: EMF?

[wasteoid]

It's Unbelievable!

Patch Tuesday is March 14, not 15

[arobatino]

Next Patch Tuesday is March 14. Let's not make it any later than it is.

Re:Patch Tuesday is March 14, not 15

[antdude]

Basically, pi day! :P

Re: patching without source code

[ewanm89]

So you have never changed a value in some binary to skip a routine or something? It is relatively easy to change a conditional jump to an unconditional jump or noop if you know a little reverse engineering, crackers used to do such things all the time to bypass things like disk checks.

Re:patching without source code

[Lunix+Nutcase]

https://null-byte.wonderhowto....

Malformed EMF file?

[Th0th]

That's unbelievable...

So

[BitztreamNotARealNam]

How's life in the hypocrite lane, gramps?

Re:So . .

[Errol+backfiring]

Why are people paying for windows again?

Because they do not have a choice.