0patch releases micropatch for Internet Explorer vulnerability -- including

[sman]

0patch releases micropatch for Internet Explorer vulnerability -- including for Windows 7

https://betanews.com/2020/01/22/internet-explorer-vulnerability-0patch/

At the end of last week, a serious vulnerability was discovered in Internet Explorer, affecting all versions of Windows. Not only is the bug (CVE-2020-0674) being actively exploited, but for Windows 7 users the vulnerability was exposed right after their operating system reached the end of its life.

Even for users of newer versions of Windows, and despite the severity of the security flaw, Microsoft said it would not be releasing a patch until February. Stepping in to plug the gap comes 0patch with a free micropatch for all versions of Windows affected by the vulnerability.

This is not the first time 0patch has stepped up to the plate and addressed a security issue before Microsoft. Although the Windows-maker says it will not release a fix until February's Patch Tuesday, the company did publish details of a workaround to help mitigate against the vulnerability. But, as 0patch notes, the workaround was not without issues.

Because the provided workaround has multiple negative side effects, and because it is likely that Windows 7 and Windows Server 2008 R2 users without Extended Security Updates will not get the patch at all (their support ended this month), we decided to provide a micropatch that simulates the workaround without its negative side effects.

The vulnerability is in jscript.dll, which is the scripting engine for legacy JScript code; note that all "non-legacy" JScript code (whatever that might be), and all JavaScript code gets executed by the newer scripting engine implemented in jscript9.dll.

Microsoft's workaround comprises setting permissions on jscript.dll such that nobody will be able to read it. This workaround has an expected negative side effect that if you're using a web application that employs legacy JScript (and can as such only be used with Internet Explorer), this application will no longer work in your browser.

0patch points out that there are other unwanted side effects of using Microsoft's workaround:

Windows Media Player is reported to break on playing MP4 files.

The sfc (Resource Checker), a tool that scans the integrity of all protected system files and replaces incorrect versions with correct Microsoft versions, chokes on jscript.dll with altered permissions.

Printing to "Microsoft Print to PDF" is reported to break.

Proxy automatic configuration scripts (PAC scripts) may not work.

For anyone using the 0patch platform, the patch is available right now. It is compatible with the 32- and 64-bit versions of Windows 7, Windows 10 v1709, Windows 10 v1803,  Windows 10 v1809,  Windows Server 2008 R2 and Windows Server 2019.

The company has produced a video showing the patch in action:

https://youtu.be/ixpBN_a2cHQ

It's also worth reading through the accompanying blog post for an explanation of how the patch works.

[Pierre75]

If you read the comments attached to this article it states that you must have registered with 0patch (IOW pay up first). It does not seem to be a freebie. I have not read the attached link yet but will later on today.

https://www.askwoody.com/2020/worried-about-the-adv200001-jscript-bug-0patch-to-the-rescue/

 

 

[sman]

@Pierre75this is free, but to get it one has to register. to get free patches and pay for any paid patches.

Edited January 26, 2020 by sman

[sman]

@Pierre75

[sman]

Note that it is necessary to register a free account as you need to sign-in to the application.  Once you are signed in data is synced between the local system and the server to determine the patch state of the system. The program lists patches that are available for free and for purchase in the interface; all it takes is to get the Internet Explorer 11 patch installed for the system to protect it against attacks that target the vulnerability.

0Patch states that its patch does not cause the side-effects that Microsoft's workaround is causing (web applications that make use of jscript.dll will not work anymore).

Administrators who run the 0Patch Agent software on their devices may toggle patches on or off in the interface.

source - https://www.ghacks.net/2020/01/23/0patch-releases-patch-for-internet-explorer-vulnerability-also-for-windows-7/

[Pierre75]

@sman, great explanation - thank you. Just one more question: I have 3 PCs all running Windows 7 Home Premium x64 all running off the same router so do I have to register 3 times or just once? If you are unable to answer that I will contact 0Patch direct. U C I am only on a pension and have been since I retired in 1995. Yes, I have not worked since that time - I rely on the government for money. IBM gave me a nice package to make me redundant back then. If you wish to know more I can send you a PM. 😀

[exile360]

It is a per-machine license, so you'd have to purchase 3 licenses, then you'd just have to sign in with your account info in each client on each system and that should activate all 3 (licenses are tied to your email address and password that you create when signing up).  I know all this because I've been keeping a close eye on this program for obvious reasons being a Windows 7 holdout myself.

[sman]

@Pierre75 would suggest check for a system first and then move on to others (that the patches work and sans any problems)..

And regarding licenses , have no idea, maybe @exile360 may be right but a confirmation with 0patch would be better.

[sman]

@Pierre75 though it's about pro licenses for businesses, shd give an idea of personal use too.

How many PRO licenses do I need for my computers?

https://0patch.zendesk.com/hc/en-us/articles/360020552934-How-many-PRO-licenses-do-I-need-for-my-computers-

"https://tinyurl.com/tg46ex9"

https://0patch.zendesk.com/hc/en-us/articles/360018692234-Am-I-allowed-to-use-0patch-for-free-without-purchasing-a-license-

 

Edited January 27, 2020 by sman

[sman]

Frequently Asked Questions

https://0patch.zendesk.com/hc/en-us/categories/200441471-Frequently-Asked-Questions

 

[sman]

 

[Pierre75]

Thanks @smanand @exile360. I have passed the first hurdle with IE11. Posted a question on LzD forum and was shown how cripple / remove IE11. Worked like a charm - been using FF for quite a while anyway. So 0patch is now on the back-burner for a while. Will send them an email  asking re my laptops. My laptops do not have receive any emails as I did not set up that function on purpose. Thunder in the heavens so another storm is brewing. 😀

[exile360]

The email doesn't need to be accessed on the machine being protected.  You just create an account using an email then use the same login info to activate the paid version of the software, similar to entering a license key in most products.  It checks online to see that you've paid for a license and how many machines/instances you paid for as well as how many machines/instances are active and activates if you have any instances available.

[sman]

@Pierre75 need to note that Win 7 patches all fall under pro-patches. so, unless a paid licensee, will not receive these patches.

[Pierre75]

@exile360, thanks for your reply but @sman put a hole in it. I will check their charges for a PRO licence but will weigh up the cost and see if it is worthwhile. May just buy 1 of Windows 10 laptop - and I mean MAY just to cover just the 8 Family Trees. Thanks for your replies. 👍 

[sman]

@Pierre75 A pro license is $26 or so/pa . so not much compared to going in for a new laptop (may be $400-500 or cheaper with china one's). . so, you can decide which suits you, better.

[exile360]

You might also find this page from their FAQ to be informative.  It explains a lot about the pros and cons of using 0patch for Windows 7 updates going forward, including the cost per year/per machine for the remainder of time they plan to offer the product/service (3 years; the same as Microsoft's schedule for extended updates for qualified organizations; likely because they will be developing their patches based on patches and details of exploits/vulnerabilities from Microsoft themselves during that period).

As far as individuals on this forum are concerned, they should also consider the fact that one of the primary components of protection in Malwarebytes Premium is Exploit Protection, which has already proven itself quite effective against many new 0-days both in detection/prevention through its behavior based rules, as well as through the more passive OS and software hardening techniques that it includes for shielding the OS and key applications from many types of exploits and potential vulnerabilities.  It certainly does not cover every system component and potential threat vector, and of course there have been many patches issued by MS to patch the Windows OS against vulnerabilities which would not currently be covered by the protection in Malwarebytes, however it should be known that it does go far in decreasing the chances of becoming a victim of a new 0-day exploit, including on unpatched systems.  It does not guarantee that 7 will be secure against all attacks, but it does greatly reduce the level of risk to have it.

[Pierre75]

Thanks @sman & @exile360, all makes sense. Just worked out it would cost me about $AUD 40.00 per year for each PC. Now to work out whether to take any offline but leave them as part of my Home-group. That may not be possible as everything is hard-wired into the modem. Nothing like a challenge. 

[exile360]

There should be some way to limit network access to local devices only I would think, though it might require third party tools to accomplish it.

[sman]

@Pierre75 Hardwired, is it a Lan? 

[exile360]

7 minutes ago, sman said:

@Pierre75 Hardwired, is it a Lan? 

Yes, that's what it sounds like.

I did find a post on the MS support forums here that describes one method marked as the appropriate answer so that might be a solution.  I would think there would be a cleaner method than basically 'breaking' internet access, however if it's the best way and requires no third party tools then I guess that's the answer.  I found another post on their forums with basically the same reply to the same issue here.

I hope it helps, assuming there is no superior/more elegant solution.

[exile360]

I also just came across this which describes another method, though I believe it requires that your network be set up as a domain (which requires Windows Pro, Enterprise or Ultimate I believe).

There may also be a way through your router/modem to restrict web access to specific devices while allowing only local network communications from the others, though I doubt most generic ISP routers/modems provide such functionality (though a router from the likes of Linksys/Cisco, Netgear, D-Link etc. should I would think).

[sman]

Configuring the router to limit network devices with MAC address is the normal way to go, which would leave Lan access intact. But why need to go offline in the first case? as 0patch works to pacth in background with system online, going offline will defeat the purpose.

Edited January 30, 2020 by sman

[exile360]

54 minutes ago, sman said:

Configuring the router to limit network devices with MAC address is the normal way to go, which would leave Lan access intact. But why need to go offline in the first case? as 0patch works to pacth in background with system online, going offline will defeat the purpose.

He'd have to update it periodically, however he could keep it offline most of the time.  I also think he was considering not using 0patch and just keeping the systems offline to keep them safe, though I could be mistaken on that.

[sman]

Working offline for what purpose? than why look for 0patch at all? Mac address are unique, once set it's set forever. and 0patch updation is automatic. So, can't understand why to go offline in the first case?