Jump to content
sman

0patch releases micropatch for Internet Explorer vulnerability -- including

Recommended Posts

0patch releases micropatch for Internet Explorer vulnerability -- including for Windows 7

https://betanews.com/2020/01/22/internet-explorer-vulnerability-0patch/

At the end of last week, a serious vulnerability was discovered in Internet Explorer, affecting all versions of Windows. Not only is the bug (CVE-2020-0674) being actively exploited, but for Windows 7 users the vulnerability was exposed right after their operating system reached the end of its life.

Even for users of newer versions of Windows, and despite the severity of the security flaw, Microsoft said it would not be releasing a patch until February. Stepping in to plug the gap comes 0patch with a free micropatch for all versions of Windows affected by the vulnerability.

This is not the first time 0patch has stepped up to the plate and addressed a security issue before Microsoft. Although the Windows-maker says it will not release a fix until February's Patch Tuesday, the company did publish details of a workaround to help mitigate against the vulnerability. But, as 0patch notes, the workaround was not without issues.

Because the provided workaround has multiple negative side effects, and because it is likely that Windows 7 and Windows Server 2008 R2 users without Extended Security Updates will not get the patch at all (their support ended this month), we decided to provide a micropatch that simulates the workaround without its negative side effects.

The vulnerability is in jscript.dll, which is the scripting engine for legacy JScript code; note that all "non-legacy" JScript code (whatever that might be), and all JavaScript code gets executed by the newer scripting engine implemented in jscript9.dll.

Microsoft's workaround comprises setting permissions on jscript.dll such that nobody will be able to read it. This workaround has an expected negative side effect that if you're using a web application that employs legacy JScript (and can as such only be used with Internet Explorer), this application will no longer work in your browser.

0patch points out that there are other unwanted side effects of using Microsoft's workaround:

Windows Media Player is reported to break on playing MP4 files.

The sfc (Resource Checker), a tool that scans the integrity of all protected system files and replaces incorrect versions with correct Microsoft versions, chokes on jscript.dll with altered permissions.

Printing to "Microsoft Print to PDF" is reported to break.

Proxy automatic configuration scripts (PAC scripts) may not work.

For anyone using the 0patch platform, the patch is available right now. It is compatible with the 32- and 64-bit versions of Windows 7, Windows 10 v1709, Windows 10 v1803,  Windows 10 v1809,  Windows Server 2008 R2 and Windows Server 2019.

The company has produced a video showing the patch in action:

https://youtu.be/ixpBN_a2cHQ

It's also worth reading through the accompanying blog post for an explanation of how the patch works.

Share this post


Link to post
Share on other sites

@Pierre75this is free, but to get it one has to register. to get free patches and pay for any paid patches.

imageedit_1_6639818488.jpg

Edited by sman

Share this post


Link to post
Share on other sites

Note that it is necessary to register a free account as you need to sign-in to the application.  Once you are signed in data is synced between the local system and the server to determine the patch state of the system. The program lists patches that are available for free and for purchase in the interface; all it takes is to get the Internet Explorer 11 patch installed for the system to protect it against attacks that target the vulnerability.

0Patch states that its patch does not cause the side-effects that Microsoft's workaround is causing (web applications that make use of jscript.dll will not work anymore).

Administrators who run the 0Patch Agent software on their devices may toggle patches on or off in the interface.

source - https://www.ghacks.net/2020/01/23/0patch-releases-patch-for-internet-explorer-vulnerability-also-for-windows-7/

Share this post


Link to post
Share on other sites

@sman, great explanation - thank you. Just one more question: I have 3 PCs all running Windows 7 Home Premium x64 all running off the same router so do I have to register 3 times or just once? If you are unable to answer that I will contact 0Patch direct. U C I am only on a pension and have been since I retired in 1995. Yes, I have not worked since that time - I rely on the government for money. IBM gave me a nice package to make me redundant back then. If you wish to know more I can send you a PM. 😀

Share this post


Link to post
Share on other sites

It is a per-machine license, so you'd have to purchase 3 licenses, then you'd just have to sign in with your account info in each client on each system and that should activate all 3 (licenses are tied to your email address and password that you create when signing up).  I know all this because I've been keeping a close eye on this program for obvious reasons being a Windows 7 holdout myself.

Share this post


Link to post
Share on other sites

@Pierre75 would suggest check for a system first and then move on to others (that the patches work and sans any problems)..

And regarding licenses , have no idea, maybe @exile360 may be right but a confirmation with 0patch would be better.

Share this post


Link to post
Share on other sites

@Pierre75 though it's about pro licenses for businesses, shd give an idea of personal use too.

How many PRO licenses do I need for my computers?

https://0patch.zendesk.com/hc/en-us/articles/360020552934-How-many-PRO-licenses-do-I-need-for-my-computers-

"https://tinyurl.com/tg46ex9"

https://0patch.zendesk.com/hc/en-us/articles/360018692234-Am-I-allowed-to-use-0patch-for-free-without-purchasing-a-license-

 

Selectionshot_2020-01-27_10:39:34.png

Edited by sman

Share this post


Link to post
Share on other sites

Thanks @smanand @exile360. I have passed the first hurdle with IE11. Posted a question on LzD forum and was shown how cripple / remove IE11. Worked like a charm - been using FF for quite a while anyway. So 0patch is now on the back-burner for a while. Will send them an email  asking re my laptops. My laptops do not have receive any emails as I did not set up that function on purpose. Thunder in the heavens so another storm is brewing. 😀

Share this post


Link to post
Share on other sites

The email doesn't need to be accessed on the machine being protected.  You just create an account using an email then use the same login info to activate the paid version of the software, similar to entering a license key in most products.  It checks online to see that you've paid for a license and how many machines/instances you paid for as well as how many machines/instances are active and activates if you have any instances available.

Share this post


Link to post
Share on other sites

@Pierre75 need to note that Win 7 patches all fall under pro-patches. so, unless a paid licensee, will not receive these patches.

imageedit_1_4169412576.jpg

Share this post


Link to post
Share on other sites

@exile360, thanks for your reply but @sman put a hole in it. I will check their charges for a PRO licence but will weigh up the cost and see if it is worthwhile. May just buy 1 of Windows 10 laptop - and I mean MAY just to cover just the 8 Family Trees. Thanks for your replies. 👍 

Share this post


Link to post
Share on other sites

@Pierre75 A pro license is $26 or so/pa . so not much compared to going in for a new laptop (may be $400-500 or cheaper with china one's). . so, you can decide which suits you, better.

Share this post


Link to post
Share on other sites

You might also find this page from their FAQ to be informative.  It explains a lot about the pros and cons of using 0patch for Windows 7 updates going forward, including the cost per year/per machine for the remainder of time they plan to offer the product/service (3 years; the same as Microsoft's schedule for extended updates for qualified organizations; likely because they will be developing their patches based on patches and details of exploits/vulnerabilities from Microsoft themselves during that period).

As far as individuals on this forum are concerned, they should also consider the fact that one of the primary components of protection in Malwarebytes Premium is Exploit Protection, which has already proven itself quite effective against many new 0-days both in detection/prevention through its behavior based rules, as well as through the more passive OS and software hardening techniques that it includes for shielding the OS and key applications from many types of exploits and potential vulnerabilities.  It certainly does not cover every system component and potential threat vector, and of course there have been many patches issued by MS to patch the Windows OS against vulnerabilities which would not currently be covered by the protection in Malwarebytes, however it should be known that it does go far in decreasing the chances of becoming a victim of a new 0-day exploit, including on unpatched systems.  It does not guarantee that 7 will be secure against all attacks, but it does greatly reduce the level of risk to have it.

Share this post


Link to post
Share on other sites

Thanks @sman & @exile360, all makes sense. Just worked out it would cost me about $AUD 40.00 per year for each PC. Now to work out whether to take any offline but leave them as part of my Home-group. That may not be possible as everything is hard-wired into the modem. Nothing like a challenge. 

Share this post


Link to post
Share on other sites

There should be some way to limit network access to local devices only I would think, though it might require third party tools to accomplish it.

Share this post


Link to post
Share on other sites
7 minutes ago, sman said:

@Pierre75 Hardwired, is it a Lan? 

Yes, that's what it sounds like.

I did find a post on the MS support forums here that describes one method marked as the appropriate answer so that might be a solution.  I would think there would be a cleaner method than basically 'breaking' internet access, however if it's the best way and requires no third party tools then I guess that's the answer.  I found another post on their forums with basically the same reply to the same issue here.

I hope it helps, assuming there is no superior/more elegant solution.

Share this post


Link to post
Share on other sites

I also just came across this which describes another method, though I believe it requires that your network be set up as a domain (which requires Windows Pro, Enterprise or Ultimate I believe).

There may also be a way through your router/modem to restrict web access to specific devices while allowing only local network communications from the others, though I doubt most generic ISP routers/modems provide such functionality (though a router from the likes of Linksys/Cisco, Netgear, D-Link etc. should I would think).

Share this post


Link to post
Share on other sites

Configuring the router to limit network devices with MAC address is the normal way to go, which would leave Lan access intact. But why need to go offline in the first case? as 0patch works to pacth in background with system online, going offline will defeat the purpose.

Edited by sman

Share this post


Link to post
Share on other sites
54 minutes ago, sman said:

Configuring the router to limit network devices with MAC address is the normal way to go, which would leave Lan access intact. But why need to go offline in the first case? as 0patch works to pacth in background with system online, going offline will defeat the purpose.

He'd have to update it periodically, however he could keep it offline most of the time.  I also think he was considering not using 0patch and just keeping the systems offline to keep them safe, though I could be mistaken on that.

Share this post


Link to post
Share on other sites

Working offline for what purpose? than why look for 0patch at all? Mac address are unique, once set it's set forever. and 0patch updation is automatic. So, can't understand why to go offline in the first case?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.