0patch Reviews

[Dorthea Seate]

QuickREI installed 0patch in a Win7 VM and played with the Console for bit to understand general functionality. There was no information about patchlet location or how that worked so I moved all the 0patch supporting executables to my host machine.

An 0patch blog post on writing a patchlet for an Adobe bug mentions a tool to create and install the patchlet itself, but it is not released yet. Based on the other information from the blog post, I took a look at the registry. In Figure 4, on the left you can see the registry tree expanded out to down through the AcroRd32.dll Key, with the following:

The way 0patch works, is the 0patch drivers hook execution of a running or started process, injects the 0patchLoader(x64).dll into each progress, then applies the patch by creating a ReadExecute section of memory where the patchlet is implemented, and overriding the OriginalBytes with a hook to the Code via a JMP command. Note: Driver implementation is not covered in this blog post.

In Conclusion0patch is great for the attacker and performing subtle modification to fully patched systems. One could use 0patch to make the PRNG return predictable values, defeat debugger checks, dump protected content (anti-DRM) or create vulnerable applications for your CTF.

Hopefully 0patch will create a patch-bounty market, similar to the burgeoning bug-bounty market, where businesses request patches with associated payouts and security developers submit patches with ratings on prior success and guarantees on testing.

Josh Pitts is a Principal Hacker at Okta on our offsec team. He has over 15 years' experience conducting physical and IT security assessments, IT security operations support, penetration testing, malware analysis, reverse engineering, and forensics. Josh also served in the US Marines working in SIGINT.

Microsoft this week ended its patch support for Windows 7 and other venerable Windows products, but one company, 0patch, is saying that it'll provide fixes for "Critical" security issues for another two years.

0patch, which issues so-called "micropatches" for other companies' software, is part of Acros, a security research company based in Slovenia. In October, 0patch announced that it will provide two more years of Critical security patches for both Windows 7 and Windows Server 2008 R2. In January, 0patch announced patch support for the Microsoft Edge browser on those operating systems. It'll also offer two years of Edge patch support for Windows Server 2012, another Microsoft product that will fall out of support this year in October.

Micropatching Explained

To hear 0patch explain it, in-memory micropatching comes with reduced risks over conventional patches from software vendors that may change the source code. The patches get downloaded from 0patch's servers, but get applied in memory.

Our patches get downloaded from 0patch servers, stored on the computer and applied in memory of running processes whenever needed. They are very different to official Windows updates, which replace entire executable files -- 0patch patches are very small and only correct a very targeted piece of code to remove an individual vulnerability each. You can find out more about them here.

"Fortunately, applying and un-applying any one of our patches is an instant event (because it all happens in the memory) and does not require a computer restart or even relaunching the patched application," Kolsek explained.

The micropatch concept maybe sounds too good to be true, and it would solve a lot of problems that organizations have in keeping current with Microsoft's software. So I asked Kolsek why Microsoft doesn't do micropatching for its customers. Here's his interesting response:

Microsoft has been experimenting with in-memory patching back on Windows Server 2003, but that hasn't gained ground for some reason. Last year, they started providing "hotpatching" on Azure-based Windows Server 2022, which is somewhat similar to what we do. There is no proprietary technology involved in our solution as what we do has been known for decades -- it's just that we have created an affordable and easy-to-use service that addresses the needs of many Windows users.

The Compliance Question

Compliance may still be a concern for organizations adopting the 0patch approach. It just gets assured by an auditor assessing 0patch's solution. Here's how Kolsek explained that aspect:

Standards and regulations that various organizations must comply with have different requirements for patching and mitigations, but none that we know of explicitly mention unofficial or third-party patches. It is therefore up to the auditor to decide how to categorize 0patch in the context of these requirements, which they also do in case of mitigations that organizations put in place for preventing exploitation of unpatched vulnerabilities.

"We make licensing very simple by requiring one license for every computer that has 0patch Agent registered -- whether it's a workstation or a server, a virtual or physical machine," Kolsek indicated.

0patch doesn't patch vulnerabilities within the Windows kernel or .NET code. The limits of its micropatch approach are described in this 0patch article. A link to its frequently asked questions page can be found here.

Corporate users and administrators appreciate the lightness and simplicity of 0patch, as it is shortening the patch deployment time from months to just hours. Reviewing tiny micropatches is inexpensive, and the ability to instantly apply and remove them locally or remotely significantly simplifies production testing.

0patch Agent, our mighty little patching machine, watches over all processes running on the computer. When any one of them is found to have a patch available, that patch is immediately applied to the process in memory without disturbing that process.

You can change your mind at any time by using the unsubscribe link in the footer of any email you receive from us, or by contacting us at sup...@0patch.com. By clicking below you agree that we may process your information according to our Privacy Notice.

We use Mailchimp as our marketing platform. By subscribing to our newsletter, you acknowledge that your information will be transferred to Mailchimp for processing. Learn more about Mailchimp's privacy practices here.

I just got a note from @Microfix that pointed me to an interesting discussion from Ionut Ilascu at BleepingComputer: After Microsoft ends support for

[See the full post at: Worth considering: 0patch for Win7 after January 2020]

The updates themselves will be delivered via all normal update delivery processes, including SCCM, WU, WUfB, and WSUS. The update will be programmed to look for the MAK activation on the endpoint and will install only on those systems with the MAK key.

A MAK key/license from Microsoft? And, if so, as it might seem to be the case you are considering in your reply, the way it is written, will that also be a requirement for the third-party updates under discussion here? My understanding is that those are for everyone that cares to pay $25 a year and has a compatible (Win 7) computer.

And why are there so many Win 7 devices? Because Microsoft royally destroyed the reputation of its successor, Win 10. And MS refuses to admit fault, or improve/fix/address its terrible Win 10 update policies or the testing of those updates.

Patches for vulnerabilities affecting predominantly home users and users in educational institutions (e.g., WinRAR or Equation Editor patches) shall be FREE patches.

Patches for 0days that affect many home/educational users shall be FREE patches for some period of time (usually one month), or until official vendor fixes for such 0days are issued, at which time they will turn into PRO patches.

Patches for issues affecting predominantly organizations (e.g., Windows Server issues) shall be PRO patches.

Patches for end-of-life products (e.g., old Java runtime versions, Windows Server 2003, or Windows 7 after January 14, 2020) shall be PRO patches.

From this BleepingComputer article, I had inferred that 0patch would be issuing their own in-house-created patches (based on the MS security bulletins and security releases): -7-and-server-2008-get-0patch-security-fixes-after-eos/ .

Copying what I see as a key portion of the article, at least as far as we Win 7 addicts are concerned, I think these paragraphs clear up the issue of what the patches are for (not discounting the possibility that there might be also patches for some of the applications that run on windows)

High-risk problems eligible for micropatching are defined here and include those that are easy to exploit, are already used in attacks, flaws leading to a realistic remote code execution scenario, or those that have a patch that cannot be applied immediately.

More folks staying on Window 7 after Jan 2020 should give MS a good indication of maybe the possibility and profitability of selling extended Windows 7 security updates past 2020 for consumers and not just Enterprise and Volume licensing clients.

So just like Windows XP there will be some edge use cases for folks remaining on Windows 7 longer in some offline state on some CNC milling machines/other use cases that can only function properly with the software/OS ecosystem that shipped with the machinery.

Both Windows 7 and 8/8.1 will eventually disappear by attrition down to some minimal level as all new hardware will ship/has been shipping for some time with Windows 10 anyways. And windows 8/8.1 will be EOL in 2023.

Or is your desire to have a clean copy to resell to others who will not make their own image as part of an overall backup plan? Microsoft stopped development of Windows 7 years ago, as planned, as scheduled, as publicized. They will stop free (gratis) support all together as planned, as scheduled, as publicized. There is no burden to finally produce a product they have refused to provide over the last several years. If it turns out they do, it will be a very generous gift that no one paid for (gratis).

3a8082e126