Micropatches addressing three zero-day Windows flaws have been deployed by 0patch.
The vulnerabilities, which have yet to be addressed by Microsoft, including a zero-day remote code execution vulnerability in the Windows Contacts app.
0patch is an organisation which sends micropatches (small pieces of code, often less than 30 bytes) to computers and devices across the world, addressing software vulnerabilities. According to its website, 0patch addresses security flaws by “ quickly fixing “0days” and unpatched vulnerabilities, end-of-life and unsupported products (including vulnerable old Java versions), providing patches for legacy OSes, vulnerable 3rd party components and customized software.”
The platform is still in beta, although the finished platform is nearly ready to launch. 0patch has already released a number of micropatches to address zero-day vulnerabilities in Microsoft products to help businesses temporarily mitigate vulnerabilities until a full patch is released.
The latest round of fixes address three recently discovered vulnerabilities in Microsoft products.
The first patch addresses a flaw dubbed AngryPolarBear which was discovered by security researcher SandboxEscaper who published a proof-of-concept exploit for the flaw in December. While the flaw does not allow remote code execution, an attacker could leverage the vulnerability to overwrite important system files, which could be used in DoS attacks.
The flaw allows a local unprivileged process to get a chosen system file on a vulnerable device overwritten in the context of a Windows Error Reporting XML file. The PoC allows the XML file to be replaced with a hard link to the chosen target. An attacker will not have much control over the content of the XML file, but could exploit the flaw to corrupt the critical system file pci.sys, and thus prevent the system from booting. The patch stops the XML file from being deleted.
The second patch also addresses another flaw uncovered by SandboxEscaper, which has been dubbed readfile. A PoC exploit was also published in December. This flaw is present in the Windows Installer and could allow an attacker to obtain sensitive information. The flaw can be exploited by an unprivileged process and allows arbitrary files to be read – in the case of the PoC, the desktop.ini file.
The third patch addresses a flaw in the Windows Contacts app which, if exploited, could lead to remote code execution on a vulnerable device. The flaw was uncovered by ZDI researcher John Page who submitted the flaw to Microsoft, which exceeded the 90-day window for issuing a fix. Microsoft has announced that it will not be issuing a patch to correct the flaw, so while micropatches are intended to be temporary fixes, this one is likely to be permanent.
The flaw is present in the way that .Contact and .VCF contact information is stored and processed on Windows Vista to Windows 10 OSes. The flaw allows the creation of a contact file that has a malicious payload in a sub-directory, with will be run when the user clicks the link in the contact file.
The micropatches are delivered through the 0patch platform which can be installed free of charge. The fixes have been developed for Windows 10 and Windows 7 (for the second two vulnerabilities). Support at 0patch should be contacted for patches for other vulnerable Windows versions.