Security Experts:

Connect with us

Hi, what are you looking for?



Unofficial Patches Released for Three Unfixed Windows Flaws

ACROS Security’s 0patch service has released unofficial patches for three Windows vulnerabilities that Microsoft has yet to address, including denial-of-service (DoS), file read, and code execution issues.

ACROS Security’s 0patch service has released unofficial patches for three Windows vulnerabilities that Microsoft has yet to address, including denial-of-service (DoS), file read, and code execution issues.

The patches have been made available by 0patch over the past week. One of them is for a Windows 10 flaw that can be exploited by a local unprivileged process to overwrite any file with the content of a Windows Error Reporting XML file.

The details of the flaw were made public last month by a researcher who uses the online moniker “SandboxEscaper.” The cybersecurity enthusiast has previously disclosed Windows vulnerabilities without giving Microsoft the chance to resolve them, in some cases out of frustration over how bug reports are handled.

While flaws that allow the content of a file to be overwritten can often be exploited for arbitrary code execution, in this case the attacker has little control over the content of the XML file, which makes the vulnerability useful mostly for DoS attacks, where the hacker overwrites some important system file.

The second vulnerability patched by 0patch, also disclosed last month by SandboxEscaper, can be exploited by an unprivileged process to read arbitrary files. The security hole exists in the Windows Installer and it can be leveraged to obtain potentially sensitive information.

The last vulnerability addressed by 0patch was disclosed recently by ZDI researcher John Page after Microsoft refused to release a fix within 90 days, as required by ZDI policies.

The flaw affects the Windows Contacts application and it allows an attacker to execute arbitrary code by getting a user to open a specially crafted VCF file. Microsoft initially said it would not patch the issue, but its engineering team later changed its mind. In December, Microsoft again told ZDI that it would not be releasing a patch.

0patch has released details for each of the vulnerabilities, along with the source code of the patches.

ACROS’s 0patch platform enables quick distribution, application and removal of small binary patches (micropatches). These fixes can be applied to running processes without the need to restart the targeted process or the device they are running on.

The 0patch service is still in beta – ACROS says it will soon come out of beta – but it has already delivered micropatches for several vulnerabilities affecting Microsoft products, including other security holes disclosed by SandboxEscaper.

Related: Microsoft Patches Critical Flaws in Edge, Hyper-V, DHCP

Related: Third-Party Patch Available for Microsoft JET Database Zero-Day

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet