Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Unofficial Patches Released for Three Unfixed Windows Flaws

ACROS Security’s 0patch service has released unofficial patches for three Windows vulnerabilities that Microsoft has yet to address, including denial-of-service (DoS), file read, and code execution issues.

ACROS Security’s 0patch service has released unofficial patches for three Windows vulnerabilities that Microsoft has yet to address, including denial-of-service (DoS), file read, and code execution issues.

The patches have been made available by 0patch over the past week. One of them is for a Windows 10 flaw that can be exploited by a local unprivileged process to overwrite any file with the content of a Windows Error Reporting XML file.

The details of the flaw were made public last month by a researcher who uses the online moniker “SandboxEscaper.” The cybersecurity enthusiast has previously disclosed Windows vulnerabilities without giving Microsoft the chance to resolve them, in some cases out of frustration over how bug reports are handled.

While flaws that allow the content of a file to be overwritten can often be exploited for arbitrary code execution, in this case the attacker has little control over the content of the XML file, which makes the vulnerability useful mostly for DoS attacks, where the hacker overwrites some important system file.

The second vulnerability patched by 0patch, also disclosed last month by SandboxEscaper, can be exploited by an unprivileged process to read arbitrary files. The security hole exists in the Windows Installer and it can be leveraged to obtain potentially sensitive information.

The last vulnerability addressed by 0patch was disclosed recently by ZDI researcher John Page after Microsoft refused to release a fix within 90 days, as required by ZDI policies.

The flaw affects the Windows Contacts application and it allows an attacker to execute arbitrary code by getting a user to open a specially crafted VCF file. Microsoft initially said it would not patch the issue, but its engineering team later changed its mind. In December, Microsoft again told ZDI that it would not be releasing a patch.

0patch has released details for each of the vulnerabilities, along with the source code of the patches.

Advertisement. Scroll to continue reading.

ACROS’s 0patch platform enables quick distribution, application and removal of small binary patches (micropatches). These fixes can be applied to running processes without the need to restart the targeted process or the device they are running on.

The 0patch service is still in beta – ACROS says it will soon come out of beta – but it has already delivered micropatches for several vulnerabilities affecting Microsoft products, including other security holes disclosed by SandboxEscaper.

Related: Microsoft Patches Critical Flaws in Edge, Hyper-V, DHCP

Related: Third-Party Patch Available for Microsoft JET Database Zero-Day

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.