Two more Windows zero-days get temporary patches
Temporary patches are now available for all the three Windows zero-days that have been disclosed in the past month. A first temporary patch was released last week, and two others followed this week.
The patches have been made available by a third-party security firm after Microsoft did not release official fixes at the start of the month, during its regular January 2019 Patch Tuesday update window.
To install the temporary patches (also called micropatches), users must install the 0patch Agent client from Acros Security.
The 0patch software was initially created for companies that use old Windows versions across their PC fleet, so Acros experts can deploy patches for new bugs affecting old versions of the Windows operating systems that have reached End-Of-Life (EOL) and are not receiving official updates from Microsoft anymore.
However, over the past year, Acros has also been using its 0patch client to deliver temporary patches for security flaws that Microsoft's staff did not get to fix, for one reason or another, during its regular Patch Tuesday update window.
Over the last five days, Acros experts have released three micropatches for the three Windows zero-days for which proof-of-concept (PoC) exploit code has been posted online, opening the window for possible real-world attacks against Windows users.
The three zero-days that have been disclosed over the past month and which have received micropatches are as follow:
Name | Description | PoC/Demo | Disclosed |
---|---|---|---|
Windows ReadFile 0-day | Malicious code can abuse the Windows ReadFile OS function to read any local file, regardles of the user's permission level. | PoC/Demo | December 20 |
Windows WER 0-day (aka AngryPolarBug) | Malicious code can overwrite and replace any file on the user's system. | PoC/Demo | December 27 |
Windows VCF (Contacts) 0-day | Malicious code abuses the way Windows reads vCard files (VCFs) to execute code on the computer with elevated privileges. | PoC/Demo | January 10 |
For now, none of the three Windows zero-days or their respective PoCs have been observed being used in the wild by any malware author or cybercriminal group.
According to security researchers who analyzed the zero-days on Twitter and on security forums in the last month, the main reasons might be that the zero-days either need to be combined with other exploits, aren't always reliable, or can't be used with mass spam distribution campaigns, being only useful in very targeted attacks.
A brief history of Microsoft's Surface: Missteps and successes
More security coverage:
- Over 4 percent of all Monero was mined by malware botnets
- Temporary fix available for one of the two Windows zero-days released in December
- Online stores for governments and multinationals hacked via new security flaw
- Websites can steal browser data via extensions APIs
- Security researchers take down 100,000 malware sites over the last ten months
- Popular WordPress plugin hacked by angry former employee
- Twitter messages to Russian cybersecurity firm helped NSA leak probe CNET
- Marriott reveals data breach affecting 500 million hotel guests TechRepublic