[{"data":1,"prerenderedAt":1197},["ShallowReactive",2],{"I-maWsoucveWH7VpbVdiZ9YJQaZbJd1SsPfUgTAv7BA":3,"i-custom:keyboard-arrow-down":704,"i-custom:check":708,"i-custom:north-east":710,"Ctgup2631OIGX00NPmVZZt96GNeGVlg8dhSuVBX7uGQ":712},{"_site":4,"allMenuCtas":33,"allMenuItems":43,"allFooterMenuItems":207,"allFooterLinks":259,"allProductCategories":263,"allPlans":277,"allPatchCategories":288,"allCountries":622,"allPartnerCategories":664,"topBar":674,"allSocialLinks":695},{"globalSeo":5,"favicon":8,"faviconMetaTags":10,"locales":31},{"siteName":6,"titleSuffix":7},"0patch"," | 0patch",{"url":9},"https://www.datocms-assets.com/166020/1758709113-0patch_logo.svg",[11,19,23,27],{"tag":12,"attributes":13,"content":18},"link",{"sizes":14,"type":15,"rel":16,"href":17},"16x16","image/svg","icon","https://www.datocms-assets.com/166020/1758709113-0patch_logo.svg?auto=format&h=16&w=16",null,{"tag":12,"attributes":20,"content":18},{"sizes":21,"type":15,"rel":16,"href":22},"32x32","https://www.datocms-assets.com/166020/1758709113-0patch_logo.svg?auto=format&h=32&w=32",{"tag":12,"attributes":24,"content":18},{"sizes":25,"type":15,"rel":16,"href":26},"96x96","https://www.datocms-assets.com/166020/1758709113-0patch_logo.svg?auto=format&h=96&w=96",{"tag":12,"attributes":28,"content":18},{"sizes":29,"type":15,"rel":16,"href":30},"192x192","https://www.datocms-assets.com/166020/1758709113-0patch_logo.svg?auto=format&h=192&w=192",[32],"en",[34],{"id":35,"title":36,"reference":37,"externalLink":40,"variant":41,"publishTranslation":42},"7540649","Buy now",{"_modelApiKey":38,"slug":39},"page","pricing","","primary-green",true,[44,52,59,66,86,92,99,103,109,117,123,130,135,149,155,169,175],{"id":45,"children":46,"externalLink":40,"parent":47,"reference":49,"title":51,"description":40,"publishTranslation":42},"HC0Jv04qRuKuZzHWgfUcNw",[],{"id":48},"IL3SSc5ySpu4strWvTvZ_A",{"_modelApiKey":38,"slug":50},"in-the-media","In the media",{"id":53,"children":54,"externalLink":55,"parent":56,"reference":18,"title":58,"description":40,"publishTranslation":42},"Lf_fG7sJTeyY-YwXgCZM6A",[],"https://dist.0patch.com/download/latestagent",{"id":57},"InIESymQQManhdOiSJWRAA","Download 0patch Agent",{"id":60,"children":61,"externalLink":62,"parent":63,"reference":18,"title":65,"description":40,"publishTranslation":42},"H1wOcewmTj2BFNcm_3S4Pg",[],"https://support.0patch.com/hc/en-us/sections/22259984868242",{"id":64},"SWaM0xVVRG-TtXEDSCe6CA","User Manual",{"id":48,"children":67,"externalLink":40,"parent":83,"reference":18,"title":85,"description":40,"publishTranslation":42},[68,72],{"id":45,"title":51,"description":40,"parent":69,"reference":70,"externalLink":40,"publishTranslation":42,"children":71},{"id":48},{"_modelApiKey":38,"slug":50},[],{"id":73,"title":74,"description":74,"parent":75,"reference":76,"externalLink":40,"publishTranslation":42,"children":82},"GYvRoN-xQrK53JU9hoMC9g","From our blog",{"id":48},{"_modelApiKey":77,"slug":78,"title":79,"createdAt":80,"published":81},"article","micropatches-released-for-windows-storage-elevation-of-privilege-vulnerability-cv","Micropatches released for Windows Storage Elevation of Privilege Vulnerability (CVE-2026-21508)","2026-04-04T11:50:51+02:00","2026-03-31T00:00:00+02:00",[],{"id":84},"136494748","Featured",{"id":87,"children":88,"externalLink":40,"parent":18,"reference":89,"title":91,"description":40,"publishTranslation":42},"7537370",[],{"_modelApiKey":38,"slug":90},"windows10","Windows 10",{"id":93,"children":94,"externalLink":95,"parent":96,"reference":18,"title":97,"description":98,"publishTranslation":42},"KNhSd6vgR2mx15df8jrG1g",[],"https://support.0patch.com/hc/en-us",{"id":57},"Help Center","All sections",{"id":73,"children":100,"externalLink":40,"parent":101,"reference":102,"title":74,"description":74,"publishTranslation":42},[],{"id":48},{"_modelApiKey":77,"slug":78,"createdAt":80,"title":79,"published":81},{"id":104,"children":105,"externalLink":106,"parent":107,"reference":18,"title":108,"description":40,"publishTranslation":42},"YlQq8EI3S3Cjo6bX8KwScg",[],"https://www.0patch.com/files/0patch_End_User_License_Agreement.pdf",{"id":64},"License agreement",{"id":110,"children":111,"externalLink":40,"parent":112,"reference":113,"title":115,"description":116,"publishTranslation":42},"7537375",[],{"id":57},{"_modelApiKey":38,"slug":114},"contact","Contact us","Form demo",{"id":118,"children":119,"externalLink":40,"parent":18,"reference":120,"title":122,"description":40,"publishTranslation":42},"LT3XEcT4ToWK-CGDxHIvxA",[],{"_modelApiKey":38,"slug":121},"patches","Patches",{"id":124,"children":125,"externalLink":40,"parent":126,"reference":127,"title":129,"description":40,"publishTranslation":42},"C_hUUxSzRlWzUZJZiQKLWg",[],{"id":64},{"_modelApiKey":38,"slug":128},"privacy","Privacy policy",{"id":131,"children":132,"externalLink":40,"parent":18,"reference":133,"title":134,"description":40,"publishTranslation":42},"M7H9KVRYQbWzdi5przLT7w",[],{"_modelApiKey":38,"slug":39},"Pricing",{"id":57,"children":136,"externalLink":40,"parent":147,"reference":18,"title":148,"description":40,"publishTranslation":42},[137,140,143],{"id":53,"title":58,"description":40,"parent":138,"reference":18,"externalLink":55,"publishTranslation":42,"children":139},{"id":57},[],{"id":93,"title":97,"description":98,"parent":141,"reference":18,"externalLink":95,"publishTranslation":42,"children":142},{"id":57},[],{"id":110,"title":115,"description":116,"parent":144,"reference":145,"externalLink":40,"publishTranslation":42,"children":146},{"id":57},{"_modelApiKey":38,"slug":114},[],{"id":84},"Support",{"id":150,"children":151,"externalLink":40,"parent":18,"reference":152,"title":154,"description":40,"publishTranslation":42},"7540650",[],{"_modelApiKey":38,"slug":153},"blog","Blog",{"id":64,"children":156,"externalLink":40,"parent":167,"reference":18,"title":168,"description":40,"publishTranslation":42},[157,160,163],{"id":60,"title":65,"description":40,"parent":158,"reference":18,"externalLink":62,"publishTranslation":42,"children":159},{"id":64},[],{"id":104,"title":108,"description":40,"parent":161,"reference":18,"externalLink":106,"publishTranslation":42,"children":162},{"id":64},[],{"id":124,"title":129,"description":40,"parent":164,"reference":165,"externalLink":40,"publishTranslation":42,"children":166},{"id":64},{"_modelApiKey":38,"slug":128},[],{"id":84},"Documents",{"id":170,"children":171,"externalLink":40,"parent":18,"reference":172,"title":174,"description":40,"publishTranslation":42},"SH5u-VrlQeKwYFXpbtstHw",[],{"_modelApiKey":38,"slug":173},"partners","Partners",{"id":84,"children":176,"externalLink":40,"parent":18,"reference":18,"title":206,"description":40,"publishTranslation":42},[177,186,196],{"id":48,"title":85,"description":40,"parent":178,"reference":18,"externalLink":40,"publishTranslation":42,"children":179},{"id":84},[180,183],{"id":45,"title":51,"description":40,"parent":181,"reference":182,"externalLink":40,"publishTranslation":42},{"id":48},{"_modelApiKey":38,"slug":50},{"id":73,"title":74,"description":74,"parent":184,"reference":185,"externalLink":40,"publishTranslation":42},{"id":48},{"_modelApiKey":77,"slug":78,"createdAt":80,"title":79,"published":81},{"id":57,"title":148,"description":40,"parent":187,"reference":18,"externalLink":40,"publishTranslation":42,"children":188},{"id":84},[189,191,193],{"id":53,"title":58,"description":40,"parent":190,"reference":18,"externalLink":55,"publishTranslation":42},{"id":57},{"id":93,"title":97,"description":98,"parent":192,"reference":18,"externalLink":95,"publishTranslation":42},{"id":57},{"id":110,"title":115,"description":116,"parent":194,"reference":195,"externalLink":40,"publishTranslation":42},{"id":57},{"_modelApiKey":38,"slug":114},{"id":64,"title":168,"description":40,"parent":197,"reference":18,"externalLink":40,"publishTranslation":42,"children":198},{"id":84},[199,201,203],{"id":60,"title":65,"description":40,"parent":200,"reference":18,"externalLink":62,"publishTranslation":42},{"id":64},{"id":104,"title":108,"description":40,"parent":202,"reference":18,"externalLink":106,"publishTranslation":42},{"id":64},{"id":124,"title":129,"description":40,"parent":204,"reference":205,"externalLink":40,"publishTranslation":42},{"id":64},{"_modelApiKey":38,"slug":128},"Resources",[208,214,218,222,226,231,235,239,244,249,254],{"id":209,"column":210,"children":211,"externalLink":40,"parent":18,"reference":212,"title":122,"description":40,"publishTranslation":42},"Z7v-uM0cTOOBdk-s10IiJA",1,[],{"__typename":213,"_modelApiKey":38,"slug":121},"PageRecord",{"id":215,"column":210,"children":216,"externalLink":40,"parent":18,"reference":217,"title":134,"description":40,"publishTranslation":42},"Yr6Go03oTdSCq8pxdWdUsg",[],{"__typename":213,"_modelApiKey":38,"slug":39},{"id":219,"column":210,"children":220,"externalLink":40,"parent":18,"reference":221,"title":174,"description":40,"publishTranslation":42},"Ds1JBCIHQQKM3pJdA6ywFA",[],{"__typename":213,"_modelApiKey":38,"slug":173},{"id":223,"column":210,"children":224,"externalLink":40,"parent":18,"reference":225,"title":115,"description":40,"publishTranslation":42},"d9N0wsZhQsm7WLVqkmUWVQ",[],{"__typename":213,"_modelApiKey":38,"slug":114},{"id":227,"column":228,"children":229,"externalLink":40,"parent":18,"reference":230,"title":154,"description":40,"publishTranslation":42},"O9Oqpya5TZafs7o4l_8Nvg",2,[],{"__typename":213,"_modelApiKey":38,"slug":153},{"id":232,"column":228,"children":233,"externalLink":40,"parent":18,"reference":234,"title":51,"description":40,"publishTranslation":42},"QbA-8ChQT-eVxrfVlZzKaA",[],{"__typename":213,"_modelApiKey":38,"slug":50},{"id":236,"column":228,"children":237,"externalLink":95,"parent":18,"reference":18,"title":238,"description":40,"publishTranslation":42},"GcPu0RJNQu2cmfpL_Us1Lg",[],"Help center ",{"id":240,"column":228,"children":241,"externalLink":242,"parent":18,"reference":18,"title":243,"description":40,"publishTranslation":42},"NwREnz0XTvOJ93OHko_7xw",[],"https://status.0patch.com/","Status page",{"id":245,"column":228,"children":246,"externalLink":40,"parent":18,"reference":247,"title":248,"description":40,"publishTranslation":42},"UPh4X1tXRt24AhzNHaztFg",[],{"__typename":213,"_modelApiKey":38,"slug":114},"Write to support",{"id":250,"column":228,"children":251,"externalLink":252,"parent":18,"reference":18,"title":253,"description":40,"publishTranslation":42},"bUWsPw9eRvG4Ycl7j0yONg",[],"mailto:security@0patch.com","Report a security issue",{"id":255,"column":228,"children":256,"externalLink":257,"parent":18,"reference":18,"title":258,"description":40,"publishTranslation":42},"eB66OgJwSXSF0UWkhz1snQ",[],"https://www.0patch.com/files/0patch.asc","PGP KEY",[260],{"externalLink":40,"reference":261,"title":262,"publishTranslation":42},{"_modelApiKey":38,"slug":128},"Privacy",[264,269,273],{"__typename":265,"id":266,"name":267,"slug":268},"ProductCategoryRecord","Am0QLeVvQCuP42oCnhKABQ","Office","office",{"__typename":265,"id":270,"name":271,"slug":272},"VFAYSlgkRneu1oHcTKcpwQ","Server","server",{"__typename":265,"id":274,"name":275,"slug":276},"UNiVGxy_QViVXTpaSLXZlQ","Windows","windows",[278,282,285],{"__typename":279,"id":280,"title":281},"PlanRecord","T-QQY6XRSjeGbmXIK5kNCw","Free",{"__typename":279,"id":283,"title":284},"TOtXWfDyTjyO3H3OW_HRtQ","Professional",{"__typename":279,"id":286,"title":287},"KJjNQcHiRVa_mZqx_GtIrg","Enterprise",[289,423,520,561,605],{"__typename":290,"_allReferencingPatchesMeta":291,"_allReferencingPatches":293,"_modelApiKey":418,"name":419,"id":420,"slug":421,"icon":18,"supportDate":422},"PatchCategoryRecord",{"count":292},19,[294,302,310,317,325,333,340,346,352,358,364,370,376,382,388,394,400,406,412],{"id":295,"title":296,"description":297,"plans":298},"CHBzDqmWSkiUggiwCycMKQ","0day patches","\u003Cp>Patches for vulnerabilities the original vendor has not yet patched - both for legacy products and products that are still under official vendor support\u003C/p>\n\u003Cp>\u003Cstrong>\u003Ca href=\"/patches?type=0day\" target=\"_blank\" rel=\"noopener\">Click to see the full list of our 0day patches\u003C/a>\u003C/strong>\u003C/p>",[299,300,301],{"id":280,"title":281},{"id":283,"title":284},{"id":286,"title":287},{"id":303,"title":304,"description":305,"plans":306},"W1zipVenRuaCpMLlbChNkg","Free patches","\u003Cp>Patches for \"0day\" vulnerabilities are generally free until the vendor has provided an official fix\u003C/p>\n\u003Cp>\u003Cstrong>\u003Ca href=\"/patches?plan=free\" target=\"_blank\" rel=\"noopener\">Click to see the full list of our free patches\u003C/a>\u003C/strong>\u003C/p>",[307,308,309],{"id":280,"title":281},{"id":283,"title":284},{"id":286,"title":287},{"id":311,"title":312,"description":313,"plans":314},"JMf6o8nLRh2YNbSjeoWSbg","All patches","\u003Cp>All our patches we have ever issued, or will ever issue, including 0day and legacy patches\u003C/p>",[315,316],{"id":283,"title":284},{"id":286,"title":287},{"id":318,"title":319,"description":320,"plans":321},"N2SosqbOST-U5Q3FTqKT-g","Multi factor authentication (MFA)","\u003Cp>Require one-time code from an authenticator app when accessing 0patch Central\u003C/p>",[322,323,324],{"id":280,"title":281},{"id":283,"title":284},{"id":286,"title":287},{"id":326,"title":327,"description":328,"plans":329},"Aurt0TQWT3qrx--H6Bvtnw","0patch console - local management","\u003Cp>0patch Agent is managed locally using 0patch Console application\u003C/p>",[330,331,332],{"id":280,"title":281},{"id":283,"title":284},{"id":286,"title":287},{"id":334,"title":335,"description":336,"plans":337},"dvNfP_7ZQ6uyUtJO3ADbJQ","Standard email support","\u003Cp>Email support with 24-hour response time\u003C/p>",[338,339],{"id":283,"title":284},{"id":286,"title":287},{"id":341,"title":342,"description":343,"plans":344},"DRZtt1FJQ2OW742_5ZdcOQ","Central management","\u003Cp>Centrally manage and monitor all your 0patch Agents from web-based 0patch Central\u003C/p>",[345],{"id":286,"title":287},{"id":347,"title":348,"description":349,"plans":350},"C7j04lkDSSmPT2ikq9grug","IP address allow-listing","\u003Cp>Restricting access to 0patch Central so only users connecting from approved IP addresses can use it\u003C/p>",[351],{"id":286,"title":287},{"id":353,"title":354,"description":355,"plans":356},"aLo8Rj7YQsufFNozN8C6lw","Unattended agent installation","\u003Cp>Deploy 0patch Agent remotely without user interaction\u003C/p>",[357],{"id":286,"title":287},{"id":359,"title":360,"description":361,"plans":362},"dJECbsVMSGm7_ObPWiWSDQ","Agent auto-registration","\u003Cp>0patch Agent can automatically register itself to your 0patch account\u003C/p>",[363],{"id":286,"title":287},{"id":365,"title":366,"description":367,"plans":368},"WHM0-Mj0Sr2WZ1LwhTI9Dw","Silent run","\u003Cp>0patch Agent operates entirely in the background without showing notifications or prompts to the user\u003C/p>",[369],{"id":286,"title":287},{"id":371,"title":372,"description":373,"plans":374},"Zjk5YWqcS2al2C2OTEH82w","Patching policies","\u003Cp>Select which patches are enabled for which groups of computers, and whether newly issued patches are initially enabled or disabled\u003C/p>",[375],{"id":286,"title":287},{"id":377,"title":378,"description":379,"plans":380},"DXTTXN2ITtmy-Bclo1_iKQ","Computer groups","\u003Cp>Organize your computers in groups to simplify management and apply different policies to different sets of computers\u003C/p>",[381],{"id":286,"title":287},{"id":383,"title":384,"description":385,"plans":386},"Vna1HyM9Q4-kwJshD0-4Ag","Multi user support","\u003Cp>Add any number of users to 0patch Central\u003C/p>",[387],{"id":286,"title":287},{"id":389,"title":390,"description":391,"plans":392},"MZheRUWKRHuS_M3sPAvxWw","User roles","\u003Cp>Assign different roles to 0patch Central users to limit their access\u003C/p>",[393],{"id":286,"title":287},{"id":395,"title":396,"description":397,"plans":398},"em07-dXcQ2Of2IhpZzUeDQ","Mandatory MFA","\u003Cp>Administrator can make multi factor authentication mandatory for all 0patch Central users\u003C/p>",[399],{"id":286,"title":287},{"id":401,"title":402,"description":403,"plans":404},"DJ9WqVROQWiRnUxDr8ckeQ","SAML single sign-on","\u003Cp>Login to 0patch Central through your identity provider using the SAML protocol\u003C/p>",[405],{"id":286,"title":287},{"id":407,"title":408,"description":409,"plans":410},"c73GoxWmTXS5muxHXFl3HA","SCIM provisioning","\u003Cp>Manage 0patch Central users with your identity provider using SCIM protocol\u003C/p>",[411],{"id":286,"title":287},{"id":413,"title":414,"description":415,"plans":416},"QM6mK9qtTBe5OtMWfVnvvg","Professional services","\u003Cp>Custom patches and additional professional services are available to large customers\u003C/p>",[417],{"id":286,"title":287},"patch_category","Features","T2nlr7wWS3eNfLE8hfA1ew","features","2025-12-05",{"__typename":290,"_allReferencingPatchesMeta":424,"_allReferencingPatches":426,"_modelApiKey":418,"name":504,"id":505,"slug":506,"icon":507,"supportDate":519},{"count":425},11,[427,434,441,448,455,462,469,476,483,490,497],{"id":428,"title":429,"description":430,"plans":431},"Wn-S2pccQbKHM4Qi_CFf0Q","Windows 11 22H2 patches","\u003Cp>Windows 11 22H2 post-end-of-support patches\u003C/p>\n\u003Cp>\u003Cstrong>\u003Ca href=\"/patches?product=Windows+11\" target=\"_blank\" rel=\"noopener\">Click to see the full list of our Windows 11 patches\u003C/a>\u003C/strong>\u003C/p>",[432,433],{"id":283,"title":284},{"id":286,"title":287},{"id":435,"title":436,"description":437,"plans":438},"KLIOm9vRTpWNef0hEYPZRw","Windows 11 21H2 patches","\u003Cp>Windows 11 21H2 post-end-of-support patches\u003C/p>\n\u003Cp>\u003Cstrong>\u003Ca href=\"/patches?product=Windows+11\" target=\"_blank\" rel=\"noopener\">Click to see the full list of our Windows 11 patches\u003C/a>\u003C/strong>\u003C/p>",[439,440],{"id":283,"title":284},{"id":286,"title":287},{"id":442,"title":443,"description":444,"plans":445},"Z-_sUVTSRcyneegSkg6tEg","Windows 10 22H2 post-EOS patches","\u003Cp>Windows 10 22H2 post-end-of-support patches, for computers without Extended Security Updates (ESU), or computers with any full year of ESU updates installed\u003C/p>\n\u003Cp>\u003Cstrong>\u003Ca href=\"/patches?product=Windows+10\" target=\"_blank\" rel=\"noopener\">Click to see the full list of our Windows 10 patches\u003C/a>\u003C/strong>\u003C/p>",[446,447],{"id":283,"title":284},{"id":286,"title":287},{"id":449,"title":450,"description":451,"plans":452},"OG3314TtS_mGEWsQ7I7rVg","Windows 10 21H2 patches","\u003Cp>Windows 10 21H2 post-end-of-support patches\u003C/p>\n\u003Cp>\u003Cstrong>\u003Ca href=\"/patches?product=Windows+10\" target=\"_blank\" rel=\"noopener\">Click to see the full list of our Windows 10 patches\u003C/a>\u003C/strong>\u003C/p>",[453,454],{"id":283,"title":284},{"id":286,"title":287},{"id":456,"title":457,"description":458,"plans":459},"d-2ES_YuR7C4QuSmcXgi0Q","Windows 10 21H1 patches","\u003Cp>Windows 10 21H1 post-end-of-support patches\u003C/p>\n\u003Cp>\u003Cstrong>\u003Ca href=\"/patches?product=Windows+10\" target=\"_blank\" rel=\"noopener\">Click to see the full list of our Windows 10 patches\u003C/a>\u003C/strong>\u003C/p>",[460,461],{"id":283,"title":284},{"id":286,"title":287},{"id":463,"title":464,"description":465,"plans":466},"R-A6Aep1TCCVLYwFbfK3Sw","Windows 10 20H2 patches","\u003Cp>Windows 10 20H2 post-end-of-support patches\u003C/p>\n\u003Cp>\u003Cstrong>\u003Ca href=\"/patches?product=Windows+10\" target=\"_blank\" rel=\"noopener\">Click to see the full list of our Windows 10 patches\u003C/a>\u003C/strong>\u003C/p>",[467,468],{"id":283,"title":284},{"id":286,"title":287},{"id":470,"title":471,"description":472,"plans":473},"Dg4FaK9fS8KTa1o3Qhor6w","Windows 10 2004 patches","\u003Cp>Windows 10 2004 post-end-of-support patches\u003C/p>\n\u003Cp>\u003Cstrong>\u003Ca href=\"/patches?product=Windows+10\" target=\"_blank\" rel=\"noopener\">Click to see the full list of our Windows 10 patches\u003C/a>\u003C/strong>\u003C/p>",[474,475],{"id":286,"title":287},{"id":283,"title":284},{"id":477,"title":478,"description":479,"plans":480},"MJlLPyxqTcy9ys2UaZYNKQ","Windows 10 v1909 patches","\u003Cp>Windows 10 1909 post-end-of-support patches\u003C/p>\n\u003Cp>\u003Cstrong>\u003Ca href=\"/patches?product=Windows+10\" target=\"_blank\" rel=\"noopener\">Click to see the full list of our Windows 10 patches\u003C/a>\u003C/strong>\u003C/p>",[481,482],{"id":283,"title":284},{"id":286,"title":287},{"id":484,"title":485,"description":486,"plans":487},"GscjCa1TQOe5p5Or7g2qyw","Windows 10 v1809 patches","\u003Cp>Windows 10 1809 post-end-of-support patches\u003C/p>\n\u003Cp>\u003Cstrong>\u003Ca href=\"/patches?product=Windows+10\" target=\"_blank\" rel=\"noopener\">Click to see the full list of our Windows 10 patches\u003C/a>\u003C/strong>\u003C/p>",[488,489],{"id":283,"title":284},{"id":286,"title":287},{"id":491,"title":492,"description":493,"plans":494},"OeQ8xMmJTmadIiPcKYkhvw","Windows 10 v1803 patches","\u003Cp>Windows 10 1803 post-end-of-support patches\u003C/p>\n\u003Cp>\u003Cstrong>\u003Ca href=\"/patches?product=Windows+10\" target=\"_blank\" rel=\"noopener\">Click to see the full list of our Windows 10 patches\u003C/a>\u003C/strong>\u003C/p>",[495,496],{"id":283,"title":284},{"id":286,"title":287},{"id":498,"title":499,"description":500,"plans":501},"Obe8z8snRYGoLT6BZyzhZw","Windows 7 post-EOS and post-ESU patches","\u003Cp>Windows 7 post-end-of-support patches, for computers without Extended Security Updates (ESU), or computers with any full year of ESU updates installed\u003C/p>",[502,503],{"id":283,"title":284},{"id":286,"title":287},"Windows Patches","DXze3dvpTu-HF132vKjSug","microsoft-windows-xp",{"alt":508,"url":509,"width":510,"height":510,"responsiveImage":511},"Windows 11 logo","https://www.datocms-assets.com/166020/1764600963-win11.png",300,{"srcSet":512,"webpSrcSet":513,"sizes":514,"src":515,"width":516,"height":516,"aspectRatio":210,"alt":508,"title":18,"bgColor":517,"base64":518},"https://www.datocms-assets.com/166020/1764600963-win11.png?auto=compress&crop=focalpoint&fit=crop&h=40 40w,https://www.datocms-assets.com/166020/1764600963-win11.png?auto=compress&crop=focalpoint&dpr=1.5&fit=crop&h=40 60w,https://www.datocms-assets.com/166020/1764600963-win11.png?auto=compress&crop=focalpoint&dpr=2&fit=crop&h=40 80w,https://www.datocms-assets.com/166020/1764600963-win11.png?auto=compress&crop=focalpoint&dpr=3&fit=crop&h=40 120w,https://www.datocms-assets.com/166020/1764600963-win11.png?auto=compress&crop=focalpoint&dpr=4&fit=crop&h=40 160w","https://www.datocms-assets.com/166020/1764600963-win11.png?auto=compress&crop=focalpoint&fit=crop&fm=webp&h=40 40w,https://www.datocms-assets.com/166020/1764600963-win11.png?auto=compress&crop=focalpoint&dpr=1.5&fit=crop&fm=webp&h=40 60w,https://www.datocms-assets.com/166020/1764600963-win11.png?auto=compress&crop=focalpoint&dpr=2&fit=crop&fm=webp&h=40 80w,https://www.datocms-assets.com/166020/1764600963-win11.png?auto=compress&crop=focalpoint&dpr=3&fit=crop&fm=webp&h=40 120w,https://www.datocms-assets.com/166020/1764600963-win11.png?auto=compress&crop=focalpoint&dpr=4&fit=crop&fm=webp&h=40 160w","(max-width: 40px) 100vw, 40px","https://www.datocms-assets.com/166020/1764600963-win11.png?auto=compress&crop=focalpoint&fit=crop&h=40",40,"#0278cf","data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABgAAAAYCAMAAADXqc3KAAAA51BMVEUAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtG9HcQcAAAATXRSTlMAAQIDBAUGBwkKCwwNDg8QERITFBUWFxgZGhscHR4fICEiIyQlJicoKSorLC0uLzAxMjM0NTY4OTo7PD0+P0BBQkNERUZHSEpLTE1OTwjw0A0AAAEqSURBVHjapZHbbsMgDIZNcMwhm7ZW097/+XrTToNwSGKPkraqtN3NCAn/H8LmN4L2LxbyOcMer0cHJcYF9UhEwHQH10yWBdAa7y0MJW5dN9NkQQsgTuS9UUMNoQM/eQcaGiBjRlJMpgNljWlPrSugiABc9yOkpSKYeBhYlZR2MSUjUtJc8EKlWpXP8379QpAhxVCRc56tSvdu4VSt5NhqtHPOTxXgonpBhF+xN/IHgP8AlO1ZYu5AO08ynx/ym+UUm7sf1MF4uumfhwZCKHgg70YZuXx1cDi+W3ZEBR0Zi7wZs4/JOmdEbaxRuC3hXrA7ezW/BaZNwco57SYuuWQlpdaK37SuxPH75m4IxJBjLBjrxpVjuHWbYptHnts8Kg+at1Lv/6hVt12XH8K5sGlN/hfaAAAAAElFTkSuQmCC","2025-06-25",{"__typename":290,"_allReferencingPatchesMeta":521,"_allReferencingPatches":523,"_modelApiKey":418,"name":545,"id":546,"slug":547,"icon":548,"supportDate":519},{"count":522},3,[524,531,538],{"id":525,"title":526,"description":527,"plans":528},"DMZZcGMvQfaRElACxvHXyA","Windows Server 2012 R2 post-EOS patches","\u003Cp>Windows Server 2012 R2 post-end-of-support patches, for computers without Extended Security Updates (ESU), or computers with any full year of ESU updates installed\u003C/p>\n\u003Cp>\u003Cstrong>\u003Ca href=\"/patches?product=Windows+Server+2012+R2\" target=\"_blank\" rel=\"noopener\">Click to see the full list of our Windows Server 2012 R2 patches\u003C/a>\u003C/strong>\u003C/p>",[529,530],{"id":283,"title":284},{"id":286,"title":287},{"id":532,"title":533,"description":534,"plans":535},"ZaeezXKkT3KGln5CQ4NH9w","Windows Server 2012 post-EOS patches","\u003Cp>Windows Server 2012 post-end-of-support patches, for computers without Extended Security Updates (ESU), or computers with any full year of ESU updates installed\u003C/p>\n\u003Cp>\u003Cstrong>\u003Ca href=\"/patches?product=Windows+Server+2012\" target=\"_blank\" rel=\"noopener\">Click to see the full list of our Windows Server 2012 patches\u003C/a>\u003C/strong>\u003C/p>",[536,537],{"id":283,"title":284},{"id":286,"title":287},{"id":539,"title":540,"description":541,"plans":542},"RYxw9xwXR3-OWnsdr8dFEg","Windows Server 2008 R2 post-EOS and post-ESU patches","\u003Cp>Windows Server 2008 R2 post-end-of-support patches, for computers without Extended Security Updates (ESU), or computers with any full year of ESU updates installed\u003C/p>\n\u003Cp>\u003Cstrong>\u003Ca href=\"/patches?product=Windows+Server+2008+R2\" target=\"_blank\" rel=\"noopener\">Click to see the full list of our Windows Server 2008 R2 patches\u003C/a>\u003C/strong>\u003C/p>",[543,544],{"id":283,"title":284},{"id":286,"title":287},"Windows Server Patches","J7WLPCrKS7i7B8sAyJpKWg","microsoft-windows-vista",{"alt":549,"url":550,"width":551,"height":510,"responsiveImage":552},"Windows Server 2012-2022 logo","https://www.datocms-assets.com/166020/1764600963-srv2012_2022.png",296,{"srcSet":553,"webpSrcSet":554,"sizes":555,"src":556,"width":557,"height":516,"aspectRatio":558,"alt":549,"title":18,"bgColor":559,"base64":560},"https://www.datocms-assets.com/166020/1764600963-srv2012_2022.png?auto=compress&crop=focalpoint&fit=crop&h=40 39w,https://www.datocms-assets.com/166020/1764600963-srv2012_2022.png?auto=compress&crop=focalpoint&dpr=1.5&fit=crop&h=40 58w,https://www.datocms-assets.com/166020/1764600963-srv2012_2022.png?auto=compress&crop=focalpoint&dpr=2&fit=crop&h=40 78w,https://www.datocms-assets.com/166020/1764600963-srv2012_2022.png?auto=compress&crop=focalpoint&dpr=3&fit=crop&h=40 117w,https://www.datocms-assets.com/166020/1764600963-srv2012_2022.png?auto=compress&crop=focalpoint&dpr=4&fit=crop&h=40 156w","https://www.datocms-assets.com/166020/1764600963-srv2012_2022.png?auto=compress&crop=focalpoint&fit=crop&fm=webp&h=40 39w,https://www.datocms-assets.com/166020/1764600963-srv2012_2022.png?auto=compress&crop=focalpoint&dpr=1.5&fit=crop&fm=webp&h=40 58w,https://www.datocms-assets.com/166020/1764600963-srv2012_2022.png?auto=compress&crop=focalpoint&dpr=2&fit=crop&fm=webp&h=40 78w,https://www.datocms-assets.com/166020/1764600963-srv2012_2022.png?auto=compress&crop=focalpoint&dpr=3&fit=crop&fm=webp&h=40 117w,https://www.datocms-assets.com/166020/1764600963-srv2012_2022.png?auto=compress&crop=focalpoint&dpr=4&fit=crop&fm=webp&h=40 156w","(max-width: 39px) 100vw, 39px","https://www.datocms-assets.com/166020/1764600963-srv2012_2022.png?auto=compress&crop=focalpoint&fit=crop&h=40",39,0.975,"#0b1f8e","data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABcAAAAYCAMAAAAmopZHAAABRFBMVEUAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIis0k1eAAAAbHRSTlMAAQIDBAUGBwgJCgsMDQ4PEBESExQVFhgZGhscHR4fICEiIyQlJicoKSorLC0uLzAxMjM0NTY3ODk6Ozw9Pj9AQUJDREVGR0hJSkxNTk9QUVRVVldYWVpbXF1fYWJjZGVmZ2lqa2xtbnBzdHY8yRY6AAABF0lEQVR42o2STU/EIBCGmWEodGm77sWj//+PeVAvRrNAYYY63cREs42R45PJ+xXIHD/6L0eU7Y7DZR4tl5QqGQQ0XXbql4fLHCyv11zpCRCMMIux43w5R4+yTqXSGQA24cadwuidG5C7iCG58dZaZ0ODs13vi+q8AxjltQr6VPKsOjkpf73Z9t23fn5+xICcs3L+mTOlkwcu9b5XKiCHfdXugNs4qE5WvoBFs+dRGmKMA7aSSqNHRAudWxXjwjTt92vSvguSxW0fAtw4ncYB+pprow6b0YkACIfRhxNBt+gqvVnnSKv1ze5DVIOdpQo9q7ezuoUhPy3LNFjhovoag787v8TzHEhqLvw7//VqAvXKB33L3//hC+5Cl3o2W4MJAAAAAElFTkSuQmCC",{"__typename":290,"_allReferencingPatchesMeta":562,"_allReferencingPatches":564,"_modelApiKey":418,"name":593,"id":594,"slug":595,"icon":596,"supportDate":519},{"count":563},4,[565,572,579,586],{"id":566,"title":567,"description":568,"plans":569},"axmNaLDGSs2BLTpJNU-fuQ","Microsoft Office 2019 post-EOS patches","\u003Cp>Microsoft Office 2019 post-end-of-support patches\u003C/p>\n\u003Cp>\u003Cstrong>\u003Ca href=\"/patches?product=Office+2019\" target=\"_blank\" rel=\"noopener\">Click to see the full list of our Microsoft Office 2019 patches\u003C/a>\u003C/strong>\u003C/p>",[570,571],{"id":283,"title":284},{"id":286,"title":287},{"id":573,"title":574,"description":575,"plans":576},"MkFk40IJQhCcXnIO2ZDd4Q","Microsoft Office 2016 post-EOS patches","\u003Cp>Microsoft Office 2016 post-end-of-support patches\u003C/p>\n\u003Cp>\u003Cstrong>\u003Ca href=\"/patches?product=Office+2016\" target=\"_blank\" rel=\"noopener\">Click to see the full list of our Microsoft Office 2016 patches\u003C/a>\u003C/strong>\u003C/p>",[577,578],{"id":283,"title":284},{"id":286,"title":287},{"id":580,"title":581,"description":582,"plans":583},"FFqWfGxfQF2q0uyjyRjVWg","Microsoft Office 2013 post-EOS patches","\u003Cp>Microsoft Office 2013 post-end-of-support patches\u003C/p>\n\u003Cp>\u003Cstrong>\u003Ca href=\"/patches?product=Office+2013\" target=\"_blank\" rel=\"noopener\">Click to see the full list of our Microsoft Office 2013 patches\u003C/a>\u003C/strong>\u003C/p>",[584,585],{"id":283,"title":284},{"id":286,"title":287},{"id":587,"title":588,"description":589,"plans":590},"XFYgrsOyRpeuEXk29M4z9g","Microsoft Office 2010 post-EOS patches","\u003Cp>Microsoft Office 2010 post-end-of-support patches\u003C/p>\n\u003Cp>\u003Cstrong>\u003Ca href=\"/patches?product=Office+2010\" target=\"_blank\" rel=\"noopener\">Click to see the full list of our Microsoft Office 2010 patches\u003C/a>\u003C/strong>\u003C/p>",[591,592],{"id":283,"title":284},{"id":286,"title":287},"Microsoft Office Patches","VH2unwR4RjycDA1o_6eSFw","microsoft-windows-7",{"alt":597,"url":598,"width":510,"height":510,"responsiveImage":599},"Microsoft Office logo","https://www.datocms-assets.com/166020/1764600963-office2013_2019.png",{"srcSet":600,"webpSrcSet":601,"sizes":514,"src":602,"width":516,"height":516,"aspectRatio":210,"alt":597,"title":18,"bgColor":603,"base64":604},"https://www.datocms-assets.com/166020/1764600963-office2013_2019.png?auto=compress&crop=focalpoint&fit=crop&h=40 40w,https://www.datocms-assets.com/166020/1764600963-office2013_2019.png?auto=compress&crop=focalpoint&dpr=1.5&fit=crop&h=40 60w,https://www.datocms-assets.com/166020/1764600963-office2013_2019.png?auto=compress&crop=focalpoint&dpr=2&fit=crop&h=40 80w,https://www.datocms-assets.com/166020/1764600963-office2013_2019.png?auto=compress&crop=focalpoint&dpr=3&fit=crop&h=40 120w,https://www.datocms-assets.com/166020/1764600963-office2013_2019.png?auto=compress&crop=focalpoint&dpr=4&fit=crop&h=40 160w","https://www.datocms-assets.com/166020/1764600963-office2013_2019.png?auto=compress&crop=focalpoint&fit=crop&fm=webp&h=40 40w,https://www.datocms-assets.com/166020/1764600963-office2013_2019.png?auto=compress&crop=focalpoint&dpr=1.5&fit=crop&fm=webp&h=40 60w,https://www.datocms-assets.com/166020/1764600963-office2013_2019.png?auto=compress&crop=focalpoint&dpr=2&fit=crop&fm=webp&h=40 80w,https://www.datocms-assets.com/166020/1764600963-office2013_2019.png?auto=compress&crop=focalpoint&dpr=3&fit=crop&fm=webp&h=40 120w,https://www.datocms-assets.com/166020/1764600963-office2013_2019.png?auto=compress&crop=focalpoint&dpr=4&fit=crop&fm=webp&h=40 160w","https://www.datocms-assets.com/166020/1764600963-office2013_2019.png?auto=compress&crop=focalpoint&fit=crop&h=40","#eb3c00","data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABgAAAAYCAMAAADXqc3KAAABSlBMVEXqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPAAMDLSTAAAAbnRSTlMAAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0eHyAiIyQlJicoKSorLS4vMTIzNDU2Nzk6Ozw9P0BBQkNERkpMTU5PUFFSVVZXWVpbXF1eX2BhYmNkZmdoaWpsbW5vcHFzdXZ4fH5/gIKDhBdTJiUAAAERSURBVHjabdE5doQwDAZgSV6AwMsU06TN/e+TM6SfyeBNUsALTeKGhz7wL8sWzoU21yd8fN6Xn++vAGDruzcdyFhjrBuAK0mo4Kz3PL89OrxvyA0s+Un9Cg38bZPUtrLOmXleUSvctrk4W1obZHVZtscJ0zo5Ral1FsAjfG7gDCo3iLmIknU1w4BybtnwyqmAaAsXzhhfDZ4hMjJrhVwy7B1iiIWycIPktO90flWIz8ATctY8QERQtQEUVh6ARIjQT86Mow7OGDqsg+IQcs4CjT8KXzB7Rwraujo6Qe3g7TEF4dTHHmGEGwKVFF4ddkhXu8yxjqFd7T7qzDmG9LzgWqWkuO//QS4xhf0viDJzvctfA1KXpEpvxgMAAAAASUVORK5CYII=",{"__typename":290,"_allReferencingPatchesMeta":606,"_allReferencingPatches":607,"_modelApiKey":418,"name":614,"id":615,"slug":616,"icon":617,"supportDate":519},{"count":210},[608],{"id":609,"title":610,"description":611,"plans":612},"OuJP-mYgRRi-wc8RTcRbUg","Other products patches","\u003Cp>We occasionally patch other Windows products, for instance when a critical vulnerability becomes known and the vendor does not provide an official patch in a timely manner\u003C/p>",[613],{"id":283,"title":284},"Other","BrWA-hAsQYSROgTvF-1ecA","microsoft-windows-11",{"alt":618,"url":619,"width":620,"height":621,"responsiveImage":18},"Windows 7","https://www.datocms-assets.com/166020/1754390080-layer1.svg",44,38,[623,628,632,636,640,644,648,652,656,660],{"__typename":624,"id":625,"name":626,"slug":627},"CountryRecord","WYcngTKjTLSCPKXF1CGc3Q","Germany","germany",{"__typename":624,"id":629,"name":630,"slug":631},"W7K_V8xIQ4esd1pdctvLRg","Switzerland","switzerland",{"__typename":624,"id":633,"name":634,"slug":635},"YCAHqeAMSp2PAVyP3KGV4w","International","international",{"__typename":624,"id":637,"name":638,"slug":639},"IKNwlfjMQXOfKhtUID30BQ","Singapore","singapore",{"__typename":624,"id":641,"name":642,"slug":643},"UzXo_gH5Te-UnOfNwdsfWQ","Netherlands","netherlands",{"__typename":624,"id":645,"name":646,"slug":647},"JKw7Q4wpQ8eGJjvHXwfSAA","Spain","spain",{"__typename":624,"id":649,"name":650,"slug":651},"RZbGpAInTEivnMxZzdTzwg","Poland","poland",{"__typename":624,"id":653,"name":654,"slug":655},"NwnHmUQ6RIK_OV9865XH3Q","Australia","australia",{"__typename":624,"id":657,"name":658,"slug":659},"HfVwBnHDSfCassEtkYx9lQ","United Kingdom","united-kingdom",{"__typename":624,"id":661,"name":662,"slug":663},"UUYGwDAYR4qLZM5UmDcmVA","USA","usa",[665,670],{"__typename":666,"id":667,"name":668,"slug":669},"PartnerCategoryRecord","dQoYak16SOaHi1odGdVqmQ","MSPs & SOCs","msps-socs",{"__typename":666,"id":671,"name":672,"slug":673},"REE7lMU8RzC9jabDARcxYQ","Resellers & Distributors","resellers-distributors",{"id":675,"_modelApiKey":676,"__typename":677,"text":678,"link":679,"menuLinks":687},"WnQYb8xeS2irpBJ41pdDRA","top_bar","TopBarRecord","Micropatches released for Windows Netlogon Remote Code Execution Vulnerability (CVE-2026-41089)",[680],{"externalLink":40,"id":681,"recordLink":682,"variant":12,"icon":685,"title":686},"K2tgUizORgyofhnuTJ36dA",{"__typename":683,"_modelApiKey":77,"slug":684},"ArticleRecord","micropatches-released-for-windows-netlogon-remote-code-execution-vulnerability-cv",false,"Learn more",[688,691],{"id":689,"primary":685,"externalLink":95,"parent":18,"reference":18,"title":690,"description":40,"publishTranslation":42},"B1pEweRaRD2YBkP6aH1CfA","Help center",{"id":692,"primary":42,"externalLink":693,"parent":18,"reference":18,"title":694,"description":40,"publishTranslation":42},"Mk0Yz-yqTk2akShgf7ARNg","https://central.0patch.com/","Sign in",[696,700],{"id":697,"title":698,"url":699},"NDrk5d4kQ96J2aCuTr-gvg","0patch on X","https://twitter.com/0patch",{"id":701,"title":702,"url":703},"GqN4lYxyTMyzcmRllVY4mg","Linked In","https://linkedin.com/company/0patch",{"left":705,"top":705,"width":706,"height":706,"rotate":705,"vFlip":685,"hFlip":685,"body":707},0,24,"\u003Cg fill=\"none\">\u003Cpath d=\"M11.9999 15.0539L6.34619 9.40013L7.39994 8.34637L11.9999 12.9464L16.5999 8.34637L17.6537 9.40013L11.9999 15.0539Z\" fill=\"currentColor\"/>\u003C/g>",{"left":705,"top":705,"width":706,"height":706,"rotate":705,"vFlip":685,"hFlip":685,"body":709},"\u003Cg fill=\"none\">\u003Cpath d=\"M9.5501 18.0001L3.8501 12.3001L5.2751 10.8751L9.5501 15.1501L18.7251 5.9751L20.1501 7.4001L9.5501 18.0001Z\" fill=\"currentColor\"/>\u003C/g>",{"left":705,"top":705,"width":706,"height":706,"rotate":705,"vFlip":685,"hFlip":685,"body":711},"\u003Cg fill=\"none\">\u003Cpath d=\"M5.55375 19.5001L4.5 18.4464L15.9462 7.00012H9V5.50012H18.5V15.0001H17V8.05387L5.55375 19.5001Z\" fill=\"currentColor\"/>\u003C/g>",{"article":713},{"_firstPublishedAt":714,"_publishedAt":715,"_updatedAt":716,"_seoMetaTags":717,"_allSlugLocales":783,"_allPublishTranslationLocales":786,"published":788,"__typename":683,"_modelApiKey":77,"author":789,"createdAt":714,"id":790,"excerpt":40,"body":791,"image":1183,"readTime":40,"title":720,"slug":785,"publishTranslation":42,"seoMetadata":18},"2025-08-21T14:32:12+02:00","2026-05-29T15:30:39+02:00","2026-05-29T15:30:37+02:00",[718,721,725,728,732,735,738,742,746,750,753,756,759,762,765,768,772,775,779],{"tag":719,"attributes":18,"content":720},"title","0patching the \"Worst Windows Remote Code Execution Bug in Recent Memory\" CVE-2017-0290",{"tag":722,"attributes":723,"content":18},"meta",{"property":724,"content":720},"og:title",{"tag":722,"attributes":726,"content":18},{"name":727,"content":720},"twitter:title",{"tag":722,"attributes":729,"content":18},{"name":730,"content":731},"description","This is a 0patch website.",{"tag":722,"attributes":733,"content":18},{"property":734,"content":731},"og:description",{"tag":722,"attributes":736,"content":18},{"name":737,"content":731},"twitter:description",{"tag":722,"attributes":739,"content":18},{"property":740,"content":741},"og:image","https://www.datocms-assets.com/166020/1755779525-windows_defender_working.png?auto=format&fit=max&w=1200",{"tag":722,"attributes":743,"content":18},{"property":744,"content":745},"og:image:width","400",{"tag":722,"attributes":747,"content":18},{"property":748,"content":749},"og:image:height","281",{"tag":722,"attributes":751,"content":18},{"property":752,"content":720},"og:image:alt",{"tag":722,"attributes":754,"content":18},{"name":755,"content":741},"twitter:image",{"tag":722,"attributes":757,"content":18},{"name":758,"content":720},"twitter:image:alt",{"tag":722,"attributes":760,"content":18},{"property":761,"content":32},"og:locale",{"tag":722,"attributes":763,"content":18},{"property":764,"content":77},"og:type",{"tag":722,"attributes":766,"content":18},{"property":767,"content":6},"og:site_name",{"tag":722,"attributes":769,"content":18},{"property":770,"content":771},"article:modified_time","2026-05-29T13:30:37Z",{"tag":722,"attributes":773,"content":18},{"property":774,"content":40},"article:publisher",{"tag":722,"attributes":776,"content":18},{"name":777,"content":778},"twitter:card","summary",{"tag":722,"attributes":780,"content":18},{"name":781,"content":782},"robots","noindex",[784],{"value":785,"locale":32},"0patching-worst-windows-remote-code",[787],{"value":42,"locale":32},"2017-05-15T14:02:00+02:00","Mitja Kolsek","cH4eYaXJQdGssyHrk2WjOA",{"blocks":792,"links":885,"value":886},[793,809,819,832,846,860,872],{"id":794,"_modelApiKey":795,"__typename":796,"image":797},"NcxVohU6TsKTybp-EkOaIw","image","ImageRecord",{"alt":798,"url":799,"width":800,"height":801,"responsiveImage":802},"windows_defender_working","https://www.datocms-assets.com/166020/1757418323-windows_defender_working.png",797,561,{"srcSet":803,"webpSrcSet":804,"sizes":805,"src":799,"width":800,"height":801,"aspectRatio":806,"alt":798,"title":798,"bgColor":807,"base64":808},"https://www.datocms-assets.com/166020/1757418323-windows_defender_working.png?dpr=0.25 199w,https://www.datocms-assets.com/166020/1757418323-windows_defender_working.png?dpr=0.5 398w,https://www.datocms-assets.com/166020/1757418323-windows_defender_working.png?dpr=0.75 597w,https://www.datocms-assets.com/166020/1757418323-windows_defender_working.png 797w","https://www.datocms-assets.com/166020/1757418323-windows_defender_working.png?dpr=0.25&fm=webp 199w,https://www.datocms-assets.com/166020/1757418323-windows_defender_working.png?dpr=0.5&fm=webp 398w,https://www.datocms-assets.com/166020/1757418323-windows_defender_working.png?dpr=0.75&fm=webp 597w,https://www.datocms-assets.com/166020/1757418323-windows_defender_working.png?fm=webp 797w","(max-width: 797px) 100vw, 797px",1.4206773618538324,"#04b333","data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/2wCEAAoHBwgHBhMREwgTChINDhUaDQ0NDhUOEhUOFxgZGCITFhUmJisjGikoHRUiJDUlKC0vMjIyGSI4PTcwPCsxMi8BCgsLDg0OHBAQHDAoHhwvLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vNS8vLy8vLy8vLy8vLy8vL//AABEIABEAGAMBIgACEQEDEQH/xAAaAAACAgMAAAAAAAAAAAAAAAAABQEEAgMG/8QAHhAAAQMFAQEAAAAAAAAAAAAAAAMEBQECBjIzMVH/xAAWAQEBAQAAAAAAAAAAAAAAAAADAgD/xAAXEQEBAQEAAAAAAAAAAAAAAAABAAMx/9oADAMBAAIRAxEAPwDtrcVbO6emdcGZfRiykWyaWxN8w3rduSEBhjKJHDmCbf0C7JSjW9HoSMDQ44yJHiaa7EASWOVd/wAgABYnt//Z",{"id":810,"_modelApiKey":795,"__typename":796,"image":811},"fYBZJBnHSIayDHA-LrtGIg",{"alt":812,"url":813,"width":800,"height":801,"responsiveImage":814},"windows_defender_not_working","https://www.datocms-assets.com/166020/1757418323-windows_defender_not_working.png",{"srcSet":815,"webpSrcSet":816,"sizes":805,"src":813,"width":800,"height":801,"aspectRatio":806,"alt":812,"title":812,"bgColor":817,"base64":818},"https://www.datocms-assets.com/166020/1757418323-windows_defender_not_working.png?dpr=0.25 199w,https://www.datocms-assets.com/166020/1757418323-windows_defender_not_working.png?dpr=0.5 398w,https://www.datocms-assets.com/166020/1757418323-windows_defender_not_working.png?dpr=0.75 597w,https://www.datocms-assets.com/166020/1757418323-windows_defender_not_working.png 797w","https://www.datocms-assets.com/166020/1757418323-windows_defender_not_working.png?dpr=0.25&fm=webp 199w,https://www.datocms-assets.com/166020/1757418323-windows_defender_not_working.png?dpr=0.5&fm=webp 398w,https://www.datocms-assets.com/166020/1757418323-windows_defender_not_working.png?dpr=0.75&fm=webp 597w,https://www.datocms-assets.com/166020/1757418323-windows_defender_not_working.png?fm=webp 797w","#eb0322","data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/2wCEAAoHBwgHBhQUFAgVFgoXDhYMFQ0PDhENDQ0OFxYZGBYVIhUmHysvGh0oHRUWJDUlKC0vMjIyGSI4PTcwPCsxMi8BCgsLDg0OHRAQHS8dFh0vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vL//AABEIABEAGAMBIgACEQEDEQH/xAAZAAEAAwEBAAAAAAAAAAAAAAAABAUGAwL/xAAdEAABBAMBAQAAAAAAAAAAAAAAAgMEMgEFMQYW/8QAFgEBAQEAAAAAAAAAAAAAAAAAAwEA/8QAFxEBAQEBAAAAAAAAAAAAAAAAAQACEv/aAAwDAQACEQMRAD8A2CvIRJeenf4OFhvpJibJltNydjcx8puYKuiopnjYbbPQXEvaQltXAnLA6LJooe8VAJmzR5NAALA3/9k=",{"id":820,"_modelApiKey":795,"__typename":796,"image":821},"Knx57kYbRK6IgIHSxuqyFA",{"alt":822,"url":823,"width":801,"height":824,"responsiveImage":825},"crash_event_log","https://www.datocms-assets.com/166020/1757418323-crash_event_log.png",368,{"srcSet":826,"webpSrcSet":827,"sizes":828,"src":823,"width":801,"height":824,"aspectRatio":829,"alt":822,"title":822,"bgColor":830,"base64":831},"https://www.datocms-assets.com/166020/1757418323-crash_event_log.png?dpr=0.25 140w,https://www.datocms-assets.com/166020/1757418323-crash_event_log.png?dpr=0.5 280w,https://www.datocms-assets.com/166020/1757418323-crash_event_log.png?dpr=0.75 420w,https://www.datocms-assets.com/166020/1757418323-crash_event_log.png 561w","https://www.datocms-assets.com/166020/1757418323-crash_event_log.png?dpr=0.25&fm=webp 140w,https://www.datocms-assets.com/166020/1757418323-crash_event_log.png?dpr=0.5&fm=webp 280w,https://www.datocms-assets.com/166020/1757418323-crash_event_log.png?dpr=0.75&fm=webp 420w,https://www.datocms-assets.com/166020/1757418323-crash_event_log.png?fm=webp 561w","(max-width: 561px) 100vw, 561px",1.5244565217391304,"#0065b3","data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/2wCEAAoHBwgHBgoICAgLFhUTDhMVFQ0NDhUOFhEYFxUZGBYVFhUdHysjGh0oHRUWJDUlKC0vMjIyGSI4PTcwPCsxMi8BCgsLBQYFEBAFEC8cFhwvLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vL//AABEIABAAGAMBIgACEQEDEQH/xAAYAAADAQEAAAAAAAAAAAAAAAABAwQHAP/EAB0QAAIBBQEBAAAAAAAAAAAAAAABAgMEBRExQSL/xAAVAQEBAAAAAAAAAAAAAAAAAAACAP/EABQRAQAAAAAAAAAAAAAAAAAAAAD/2gAMAwEAAhEDEQA/ANEjiLRPox4S0kt7CqLfpTCl89CJCw1oo9OLI0lroCT/2Q==",{"id":833,"_modelApiKey":795,"__typename":796,"image":834},"WZRh1SEMTKeqpx6teqQRdQ",{"alt":835,"url":836,"width":837,"height":838,"responsiveImage":839},"crash_function_0","https://www.datocms-assets.com/166020/1757418323-crash_function_0.png",1379,500,{"srcSet":840,"webpSrcSet":841,"sizes":842,"src":836,"width":837,"height":838,"aspectRatio":843,"alt":835,"title":835,"bgColor":844,"base64":845},"https://www.datocms-assets.com/166020/1757418323-crash_function_0.png?dpr=0.25 344w,https://www.datocms-assets.com/166020/1757418323-crash_function_0.png?dpr=0.5 689w,https://www.datocms-assets.com/166020/1757418323-crash_function_0.png?dpr=0.75 1034w,https://www.datocms-assets.com/166020/1757418323-crash_function_0.png 1379w","https://www.datocms-assets.com/166020/1757418323-crash_function_0.png?dpr=0.25&fm=webp 344w,https://www.datocms-assets.com/166020/1757418323-crash_function_0.png?dpr=0.5&fm=webp 689w,https://www.datocms-assets.com/166020/1757418323-crash_function_0.png?dpr=0.75&fm=webp 1034w,https://www.datocms-assets.com/166020/1757418323-crash_function_0.png?fm=webp 1379w","(max-width: 1379px) 100vw, 1379px",2.758,"#0000ff","data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/2wCEAAoHBwgHBgoICAgFCgoFBQwFBQUFBREJCgUMFxMZGBYTFhUaHysjGh0oHRUWJDUlKC0vMjIyGSI4PTcwPCsxMi8BCgsLBQUFEAUFEC8cFhwvLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vL//AABEIAAkAGAMBIgACEQEDEQH/xAAVAAEBAAAAAAAAAAAAAAAAAAAAB//EABQQAQAAAAAAAAAAAAAAAAAAAAD/xAAVAQEBAAAAAAAAAAAAAAAAAAACAP/EABQRAQAAAAAAAAAAAAAAAAAAAAD/2gAMAwEAAhEDEQA/AK2AQgCT/9k=",{"id":847,"_modelApiKey":795,"__typename":796,"image":848},"Rq_vsCWnQXW2MWXPZriUHw",{"alt":849,"url":850,"width":851,"height":852,"responsiveImage":853},"diff2","https://www.datocms-assets.com/166020/1757418323-diff2.png",1600,737,{"srcSet":854,"webpSrcSet":855,"sizes":856,"src":850,"width":851,"height":852,"aspectRatio":857,"alt":849,"title":849,"bgColor":858,"base64":859},"https://www.datocms-assets.com/166020/1757418323-diff2.png?dpr=0.25 400w,https://www.datocms-assets.com/166020/1757418323-diff2.png?dpr=0.5 800w,https://www.datocms-assets.com/166020/1757418323-diff2.png?dpr=0.75 1200w,https://www.datocms-assets.com/166020/1757418323-diff2.png 1600w","https://www.datocms-assets.com/166020/1757418323-diff2.png?dpr=0.25&fm=webp 400w,https://www.datocms-assets.com/166020/1757418323-diff2.png?dpr=0.5&fm=webp 800w,https://www.datocms-assets.com/166020/1757418323-diff2.png?dpr=0.75&fm=webp 1200w,https://www.datocms-assets.com/166020/1757418323-diff2.png?fm=webp 1600w","(max-width: 1600px) 100vw, 1600px",2.1709633649932156,"#14a514","data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/2wCEAAoHBw4TDg4HCAgNDQgLDQ4QCA0NCxEOFg0NFx8ZGBYVFhUaHysjGh0oHRUWJDUlKC0vMjIyGSI4PTcwPCsxMi8BCgsLDg0OEAwNHC8dIhwvLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vL//AABEIAAwAGAMBIgACEQEDEQH/xAAWAAEBAQAAAAAAAAAAAAAAAAAAAQf/xAAVEAEBAAAAAAAAAAAAAAAAAAAAEf/EABYBAQEBAAAAAAAAAAAAAAAAAAIBAP/EABgRAAIDAAAAAAAAAAAAAAAAAABRAREi/9oADAMBAAIRAxEAPwDXoRAQVLLAoxNM/9k=",{"id":861,"_modelApiKey":795,"__typename":796,"image":862},"CVTdP1N-RTqALE_w16AQlw",{"alt":863,"url":864,"width":851,"height":865,"responsiveImage":866},"diff1","https://www.datocms-assets.com/166020/1757418323-diff1.png",1269,{"srcSet":867,"webpSrcSet":868,"sizes":856,"src":864,"width":851,"height":865,"aspectRatio":869,"alt":863,"title":863,"bgColor":870,"base64":871},"https://www.datocms-assets.com/166020/1757418323-diff1.png?dpr=0.25 400w,https://www.datocms-assets.com/166020/1757418323-diff1.png?dpr=0.5 800w,https://www.datocms-assets.com/166020/1757418323-diff1.png?dpr=0.75 1200w,https://www.datocms-assets.com/166020/1757418323-diff1.png 1600w","https://www.datocms-assets.com/166020/1757418323-diff1.png?dpr=0.25&fm=webp 400w,https://www.datocms-assets.com/166020/1757418323-diff1.png?dpr=0.5&fm=webp 800w,https://www.datocms-assets.com/166020/1757418323-diff1.png?dpr=0.75&fm=webp 1200w,https://www.datocms-assets.com/166020/1757418323-diff1.png?fm=webp 1600w",1.260835303388495,"#179713","data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/2wCEAAoHBwgHBgoIExMRDxEQDhgQDA8NDRENDRENGBMZGCIfFiEaHysjGh0oHSEiJTUlKC0vMjIyGSI4PTcwPCsxMi8BCgsLDg0OHA8QHS8cHig7Oy81Ly8vLy8vLy87OzsvLy8vLy8vLy8vLy8vLzUvLy8vLy8vLy8vLy8vLy8vLy8vL//AABEIABQAGAMBIgACEQEDEQH/xAAXAAEBAQEAAAAAAAAAAAAAAAAABAMH/8QAHhAAAgICAgMAAAAAAAAAAAAAAAECAwQREjMhcYH/xAAVAQEBAAAAAAAAAAAAAAAAAAAAAf/EABgRAQADAQAAAAAAAAAAAAAAAAABEkER/9oADAMBAAIRAxEAPwDrORPjeijw69kub3RKordHwhZjjNO2QM8N6vkgIS3WmWlziyivrXoAaawpilkSAAhIf//Z",{"id":873,"_modelApiKey":795,"__typename":796,"image":874},"KFHG4G-cTNyCYkLO4dPD8g",{"alt":875,"url":876,"width":877,"height":878,"responsiveImage":879},"vulnerable_function","https://www.datocms-assets.com/166020/1757418323-vulnerable_function.png",1323,1391,{"srcSet":880,"webpSrcSet":881,"sizes":882,"src":876,"width":877,"height":878,"aspectRatio":883,"alt":875,"title":875,"bgColor":844,"base64":884},"https://www.datocms-assets.com/166020/1757418323-vulnerable_function.png?dpr=0.25 330w,https://www.datocms-assets.com/166020/1757418323-vulnerable_function.png?dpr=0.5 661w,https://www.datocms-assets.com/166020/1757418323-vulnerable_function.png?dpr=0.75 992w,https://www.datocms-assets.com/166020/1757418323-vulnerable_function.png 1323w","https://www.datocms-assets.com/166020/1757418323-vulnerable_function.png?dpr=0.25&fm=webp 330w,https://www.datocms-assets.com/166020/1757418323-vulnerable_function.png?dpr=0.5&fm=webp 661w,https://www.datocms-assets.com/166020/1757418323-vulnerable_function.png?dpr=0.75&fm=webp 992w,https://www.datocms-assets.com/166020/1757418323-vulnerable_function.png?fm=webp 1323w","(max-width: 1323px) 100vw, 1323px",0.9511143062544932,"data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/2wCEAAoHBwgHBw0HDQcHBgcNDg0QDQgHBxENFgcNFxUZGBYfIiEaHysjGh0oHRUWJDUlKC0vMjIyGSI4PTcwPCsxMi8BCgsLDg0OHA8QFS8dIh0vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vL//AABEIABkAFwMBIgACEQEDEQH/xAAWAAEBAQAAAAAAAAAAAAAAAAAAAQf/xAAUEAEAAAAAAAAAAAAAAAAAAAAA/8QAFwEBAQEBAAAAAAAAAAAAAAAAAgMBAP/EABkRAQEAAwEAAAAAAAAAAAAAAAABAiFBEf/aAAwDAQACEQMRAD8A1wBlhTLQAfiNyQAncBAkLX//2Q==",[],{"schema":887,"document":888},"dast",{"type":889,"children":890},"root",[891,901,905,912,977,979,983,984,988,989,1009,1010,1029,1030,1052,1053,1071,1072,1100,1129],{"type":892,"children":893},"paragraph",[894,899],{"type":895,"marks":896,"value":898},"span",[897],"strong","Building up our Skills and Speed for the Future WannaCry Attacks",{"type":895,"value":900},"\n",{"type":892,"children":902},[903],{"type":895,"value":904},"Like many other stories of the past week, mine begins with this tweet.\n\n",{"type":906,"children":907},"blockquote",[908],{"type":892,"children":909},[910],{"type":895,"value":911},"I think @natashenka and I just discovered the worst Windows remote code exec in recent memory. This is crazy bad. Report on the way. 🔥🔥🔥— Tavis Ormandy (@taviso) May 6, 2017",{"type":892,"children":913},[914,916,925,927,934,936,943,945,952,954,961,963,966,968,975],{"type":895,"value":915},"\n\n",{"url":917,"meta":918,"type":12,"children":922},"https://twitter.com/natashenka",[919],{"id":920,"value":921},"target","_blank",[923],{"type":895,"value":924},"Natalie Silvanovich",{"type":895,"value":926}," and ",{"url":928,"meta":929,"type":12,"children":931},"https://twitter.com/taviso",[930],{"id":920,"value":921},[932],{"type":895,"value":933},"Tavis Ormandy",{"type":895,"value":935}," of Google Project Zero found a ",{"url":937,"meta":938,"type":12,"children":940},"https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5",[939],{"id":920,"value":921},[941],{"type":895,"value":942},"pretty nasty bug in Microsoft Malware Protection Engine",{"type":895,"value":944},", allowing an attacker to execute arbitrary code as LocalSystem on any Windows computer running any Microsoft anti-malware product such as Security Essentials or Windows Defender by simply having that computer access a malicious file. Attack vectors were abundant, from emailing the file or sending it via any other channel like Skype or Messenger, to having it hosted on a malicious web site or uploading it to an IIS web server.\n\nUnlike many other stories of the past week, mine is not about how Natalie and Tavis found this bug, how they reported it to Microsoft or how the fact that they found and reported it was made known to the public. Rather, it is about the bug itself, its root cause, and - of course - about writing a micropatch for it.\n\nBut first: why would we want to write a micropatch for a vulnerability that would quickly get automatically fixed on all Windows computers anyway? As you may know, Microsoft was super fast in fixing this bug and made an ",{"url":946,"meta":947,"type":12,"children":949},"https://technet.microsoft.com/en-us/library/security/4022344.aspx",[948],{"id":920,"value":921},[950],{"type":895,"value":951},"update",{"type":895,"value":953}," available literally over the weekend. Furthermore, the Malware Protection Engine is implemented as a dynamic-load library mpengine.dll, and Microsoft designed their anti-malware products smartly enough to not require a computer restart - the old DLL is simply unloaded, and the new one loaded.\n\nSo why write a micropatch? Well, ",{"url":955,"meta":956,"type":12,"children":958},"http://www.thewindowsclub.com/update-windows-defender-automatic-windows-updates-disabled",[957],{"id":920,"value":921},[959],{"type":895,"value":960},"not every computer gets updated automatically",{"type":895,"value":962},": while automatic application of updates is configured by default, admins can change that if they want to control what gets applied when. And enterprise admins like to have such control, allowing them to test new code before deploying it to computers throughout their organization. Just imagine the updated mpengine.dll having a flaw that prevented users from accessing legitimate files.\n\nAnother reason for writing this micropatch was to learn, as we haven't patched a security product before - and one can expect to stumble upon something new here (and stumble I did, as you will see). The final reason was to teach, to share some knowledge with those of you who want to analyze vulnerabilities yourselves and learn how to write micropatches.\n\n\n",{"type":895,"marks":964,"value":965},[897],"Reproducing CVE-2017-0290",{"type":895,"value":967},"\n\nThe first step in analyzing a vulnerability is to reproduce its exploitation. The Project Zero report provides a downloadable ",{"url":969,"meta":970,"type":12,"children":972},"https://bugs.chromium.org/p/project-zero/issues/attachment?aid=283405",[971],{"id":920,"value":921},[973],{"type":895,"value":974},"proof-of-concept file",{"type":895,"value":976},", which has a .zip extension, but is really an HTML-lookalike file that comprises a tiny exploit bit and a lot of random HTML content that makes sure the engine processes the file.\n\nReproducing on 64-bit Windows 8.1 was trivial - just downloading and saving the file was enough to make the Windows Defender service crash, instantly turning from this:\n\n",{"item":794,"type":978},"block",{"type":892,"children":980},[981],{"type":895,"value":982},"\n\n to this:\n\n",{"item":810,"type":978},{"type":892,"children":985},[986],{"type":895,"value":987},"\n\n\n\nAfter the crash, the Application Event Log contained an Error event about this crash, revealing the crashing module being mpengine.dll, and the crash location being at offset 0x21745a. (You will find a different crash address in Google's report because they were working on a 32-bit computer.)\n\n",{"item":820,"type":978},{"type":892,"children":990},[991,993,996,998,1002,1004,1007],{"type":895,"value":992},"\n\n\nNote that I was using mpengine.dll version 1.1.13701.0, which is the last vulnerable version before the fixed 1.1.13704.0. It is always good to do your analysis on the last vulnerable version in order to minimize the difference with the fixed version - you will thank yourself when diffing these versions.\n\n\n",{"type":895,"marks":994,"value":995},[897],"Analyzing CVE-2017-0290",{"type":895,"value":997},"\n\nWith the bug successfully reproduced, the path was clear towards analysis. Here, the Google report was a great start, as Natalie and Tavis have clearly gained substantial understanding of what goes on in the crash case. The most important detail for me was that it was a type confusion error, specifically with some function expecting a ",{"type":895,"marks":999,"value":1001},[1000],"emphasis","string ",{"type":895,"value":1003},"object but getting a ",{"type":895,"marks":1005,"value":1006},[1000],"number ",{"type":895,"value":1008},"object (which resulted in calling a string vtable function where there really was no vtable).\n\nThis was important because when a bug is a type confusion error, a typical fix is to add the missing check for the correct type. And such a fix is usually easy to recognize when observing the difference between vulnerable and fixed code.\n\nWhich brings us to IDA. The image below shows the function that crashed - the exact access violation location was the mov rax, [rcx] instruction (see the red box) at address 0x75A31745A, which is at offset  0x21745a from mpengine.dll's default base address.\n\n",{"item":833,"type":978},{"type":892,"children":1011},[1012,1014,1017,1019,1022,1024,1027],{"type":895,"value":1013},"\n\n\nWhen a vendor patch is available, diffing the vulnerable and the patched version usually provides useful information and allows you to understand the bug, and the patch, better. Diffing can be a time-consuming operation though first for the computer and then for you, and with large binaries (mpengine.dll is 12MB) you can get ",{"type":895,"marks":1015,"value":1016},[1000],"a lot",{"type":895,"value":1018}," of matched functions, and finding where the ",{"type":895,"marks":1020,"value":1021},[1000],"code logic ",{"type":895,"value":1023},"is different - as opposed to where the code is different - can be somewhat frustrating.\n\nSo I went on to diff the two versions of mpengine.dll, the vulnerable 1.1.13701.0 and the patched 1.1.13704.0. There were 38440 matched functions, which, in scientific terms, is ",{"type":895,"marks":1025,"value":1026},[1000],"an awful lot",{"type":895,"value":1028},". What I could do with these results was compare the above crashing function between the two versions. If I was lucky, the patch would be there and I could go home early.\n\n",{"item":847,"type":978},{"type":892,"children":1031},[1032,1034,1041,1043,1050],{"type":895,"value":1033},"\n\n\nNope. Both functions are logically identical, which means that the flaw (and the patch) is somewhere higher on the call stack. At this point one could diff all functions that call this function, but there are about 50 of them - and if all of those turned out to be identical as well, such approach could turn into an exponential mission impossible. (Not to mention that IDA may not see all callers.)\n \nNow about the call stack: you will notice that I haven't used a debugger up to this point, and the reason is that Windows Defender is a ",{"url":1035,"meta":1036,"type":12,"children":1038},"https://msdn.microsoft.com/en-us/library/windows/desktop/dn313124%28v=vs.85%29.aspx",[1037],{"id":920,"value":921},[1039],{"type":895,"value":1040},"protected service",{"type":895,"value":1042}," and as such tries very hard to protect itself from tampering. You cannot attach a debugger to a protected process, even if you're a local administrator. And it's not easy to un-protect a protected service either: while its protected status is defined by the LaunchProtected registry value (in our case under HKLM\\SYSTEM\\CurrentControlSet\\Services\\WinDefend), you cannot change that value for Windows Defender while Windows Defender is running as it prevents you from \"attacking\" it.\n\nFortunately, we have a way to stop Windows Defender - by crashing it with the PoC. So what I did was crash Windows Defender, rename its LaunchProtected registry value, restarted the computer (the protected status of services is read only at system startup), then configured ",{"url":1044,"meta":1045,"type":12,"children":1047},"https://msdn.microsoft.com/en-us/library/windows/desktop/bb787181%28v=vs.85%29.aspx",[1046],{"id":920,"value":921},[1048],{"type":895,"value":1049},"Windows Error Reporting",{"type":895,"value":1051}," to generate dump files for crashing processes. (I only created the LocalDumps key and the DumpFolder value containing \"C:\\dumps\" in it.)\n\nAfter crashing Windows Defender again, I got its mini dump file in C:\\dumps, and it contained a full call stack for the access violation. I was only interested in locations from mpengine.dll:\n\nmpengine!FreeSigFiles+0x11ea9a \nmpengine!FreeSigFiles+0x12046f \nmpengine!FreeSigFiles+0x111e81 \nmpengine!FreeSigFiles+0x111d9e \nmpengine!FreeSigFiles+0x125eaa \nmpengine!FreeSigFiles+0x3de1d  \nmpengine!FreeSigFiles+0x3dbf5  \nmpengine!FreeSigFiles+0x125eaa \nmpengine!FreeSigFiles+0x117ade \nmpengine!FreeSigFiles+0x120146 \nmpengine!FreeSigFiles+0x113d76 \nmpengine!FreeSigFiles+0xcce7f  \nmpengine+0x54a99               \nmpengine+0x865e1               \nmpengine+0x50f3f               \nmpengine+0x50d1f               \nmpengine+0x8c208               \nmpengine+0x8bf47               \nmpengine!FreeSigFiles+0x174a3  \nmpengine+0x13b7d               \nmpengine!FreeSigFiles+0x1535a  \nmpengine!_rsignal+0x243        \nmpengine!_rsignal+0xe7   \n\nThe top one we already know - it's the access violation location in the crashing function that we diffed just moments ago. So I proceeded with the second address, FreeSigFiles+0x12046f, and located it in IDA. It was, as expected, after a call to the crashing function. I then took the address of the function containing that address, and viewed the diff with its patched version.\n\n",{"item":861,"type":978},{"type":892,"children":1054},[1055,1057,1060,1062,1064,1066,1069],{"type":895,"value":1056},"\n\n\nNow we're talking! This looks like a typical added check that exits a function if something is not right. (The patched version is on the left.) The upper red block is added code that takes rdi (the object) and passes it to a call to some function, and if the result of that function is 4, the execution continues as before, otherwise the return value (al) is set to 0 in the lower red block, and the function exits. The function that gets called from the upper red block seems to determine the type of the object and returns its ",{"type":895,"marks":1058,"value":1059},[1000],"type code",{"type":895,"value":1061},". Reviewing other calls to this function I found a very obvious implementation of JavaScript's typeof operator, which confirmed that ",{"type":895,"marks":1063,"value":1059},[1000],{"type":895,"value":1065}," for string is actually 4.\n\nThis is clearly the patch I was looking for. It was simple, it did exactly what I was expecting it to do, and it was in the code path of our crash.\n\n\n",{"type":895,"marks":1067,"value":1068},[897],"Micropatching CVE-2017-0290",{"type":895,"value":1070},"\n\nMy goal at this point was to create a micropatch that would inject the same patch logic into the vulnerable version of mpengine.dll. In a perfect world, I could use literally the same code that I found in the patched version, and inject it in the same place - but in this world a compiler likes to use different registers and different implementation of the same logic in two subsequent builds. So I had to re-implement the patch logic from the original patch.\n\nLet's look at the vulnerable function in IDA.\n\n",{"item":873,"type":978},{"type":892,"children":1073},[1074,1076,1080,1082,1085,1087,1093,1095,1098],{"type":895,"value":1075},"\n\n\nThe above image shows the vulnerable function and a good location for injecting our code. The location is selected so that it allows us to jump from our patchlet code directly to the function epilogue (the lowest block of code).\n\nHere is the patch code for 64-bit mpengine.dll version 1.1.13701.0:\n\n\n",{"type":895,"marks":1077,"value":1079},[1078],"code",";0patch for CVE-2017-0290 in 64-bit mpengine.dll version 1.1.13701.0\n\nMODULE_PATH \"C:\\Analysis\\CVE-2017-0290\\mpengine.dll_64bit_1.1.13701.0\\mpengine.dll\"\nPATCH_ID 271\nPATCH_FORMAT_VER 2\nVULN_ID 2436\nPLATFORM win64\n\n\npatchlet_start\n PATCHLET_ID 1\n PATCHLET_TYPE 2\n PATCHLET_OFFSET 0x218E10\n\n ; We'll need the GetTypeOf function and the location of function epilogue\n PIT mpengine.dll!0x218940,mpengine.dll!0x218E9A\n\n ; Note that GetTypeOf taints the following registers:\n ; rdx - always\n ; rcx - only in case of an exception\n ; rax - expected, this is the return value\n \n code_start\n\n  push rcx          ; We need to preserve rcx, as it's still used after our patchlet code\n                    ; while GetTypeOf taints rdx, we don't need to preserve it\n  mov rcx, r9       ; r9 points to the object\n  call PIT_0x218940 ; GetTypeOf object\n  pop rcx           ; restore rcx\n  cmp eax, 4        ; is the object of type string?\n  jz OK             ; It is? Very well, continue...\n\n  xor al, al        ; It isn't? Exit this function without doing anything, return 0\n  call PIT_ExploitBlocked ; Show \"Exploit attempt blocked\"\n  jmp PIT_0x218E9A  ; Jump to function epilogue\n \n  OK:\n\n code_end\npatchlet_end",{"type":895,"value":1081},"\n\nWhat this single-patchlet patch, inserted at the shown point in code, does is - just as the original patch - call GetTypeOf on the object (whose address is in register r9) and see if its type code is 4 (string). If it is, it continues execution of original code where it was injected . Otherwise, it sets the return code (register al) to 0 and jumps to function epilogue.\n\nNote that in order to avoid any negative side effects, I had to (1) review the GetTypeOf function to see which registers it may taint and whether that could impact the code after our injected patch (it taints rdx and rcx, but rdx holds nothing valuable at our injection point), and then (2) store rcx on the stack before calling GetTypeOf function because rcx holds some value that is still being used after our injected patch.\n\nI also wrote the same patch for the last vulnerable 32-bit version of mpengine.dll. If you have 0patch Agent installed, patches ZP-271 and ZP-272 should already be downloaded to your computer, waiting for any occurrence of the vulnerable mpengine.dll getting loaded.\n\n\n",{"type":895,"marks":1083,"value":1084},[897],"The Irony of Protected Services",{"type":895,"value":1086},"\n\n\nTo restore the original system configuration, I turned Windows Defender back to a protected service, and... shoot, the patch stopped getting applied. It quickly became clear that we can't inject our loader into the protected Windows Defender because only binaries signed by Microsoft are allowed to get loaded. (It's a bit ",{"url":1035,"meta":1088,"type":12,"children":1090},[1089],{"id":920,"value":921},[1091],{"type":895,"value":1092},"more complex than that",{"type":895,"value":1094}," but close enough.) This is Windows Defender protecting itself against local malware - even with admin privileges - trying to compromise it.\n\nThe irony is that a Windows anti-malware protection prevents our security product from fixing a vulnerability in Windows Defender, while the exploit for the same vulnerability can freely execute arbitrary code in Windows Defender. (Hmm, perhaps we should leverage this exploit to get our code running inside Windows Defender and thereby fix it.) \n\nSo while we're exploring options for extending our reach towards patching protected services, patches ZP-271 and ZP-272 for Malware Protection Engine will only get applied on Windows 7 and Windows Vista, which don't have protected services.  \n\n\n",{"type":895,"marks":1096,"value":1097},[897],"Experimenting with Micropatches for CVE-2017-0290",{"type":895,"value":1099},"\n\n\nIf you want to experiment with these micropatches, you'll need two things:\n",{"type":1101,"style":1102,"children":1103},"list","numbered",[1104,1111,1117,1123],{"type":1105,"children":1106},"listItem",[1107],{"type":892,"children":1108},[1109],{"type":895,"value":1110},"A 32-bit or 64-bit Windows 7 computer running Windows Defender. While you could also do the testing on newer Windows versions, you would have to un-protect the Windows Defender service in order to proceed. ",{"type":1105,"children":1112},[1113],{"type":892,"children":1114},[1115],{"type":895,"value":1116},"Vulnerable mpengine.dll. If your Windows Defender doesn't happen to have this exact version (unlikely, due to automatic updates), you can get it here:",{"type":1105,"children":1118},[1119],{"type":892,"children":1120},[1121],{"type":895,"value":1122},"32-bit mpengine.dll version 1.1.13701.0 for 32-bit Windows",{"type":1105,"children":1124},[1125],{"type":892,"children":1126},[1127],{"type":895,"value":1128},"64-bit mpengine.dll version 1.1.13701.0 for 64-bit Windows",{"type":892,"children":1130},[1131,1133,1139,1141,1147,1149,1156,1158,1165,1167,1174,1175,1181],{"type":895,"value":1132},"First of all, stop the Windows Defender service via elevated Services console.\n\nThen browse to C:\\ProgramData\\Microsoft\\Windows Defender (folder permissions don't originally allow you to open it so Windows will ask you for elevation, after which it will add your account to the folder ACL). Open folder Definition Updates, and notice one or more subfolders with GUID-like names starting with curly braces. Open each of these folders to find the one containing mpengine.dll. Rename the existing mpengine.dll into something else, then save the vulnerable mpengine.dll there.\n\nStart the Windows Defender service.\n\nDownload the",{"url":969,"meta":1134,"type":12,"children":1136},[1135],{"id":920,"value":921},[1137],{"type":895,"value":1138}," proof-of-concept file",{"type":895,"value":1140}," and store it in some empty temporary folder.\n\nLaunch the Windows Defender console via the Control Panel, and Custom-Scan the above folder. Notice that Windows Defender service crashes.\n\nNow install 0patch Agent on the computer. If you don't already have it, ",{"url":55,"meta":1142,"type":12,"children":1144},[1143],{"id":920,"value":921},[1145],{"type":895,"value":1146},"download a free copy",{"type":895,"value":1148}," and register it with your ",{"url":1150,"meta":1151,"type":12,"children":1153},"https://dist.0patch.com/User/Register",[1152],{"id":920,"value":921},[1154],{"type":895,"value":1155},"free 0patch account",{"type":895,"value":1157},".\n\nFinally, restart the Windows Defender service and re-scan the temporary folder. This time, you'll see an \"Exploit Attempt Blocked\" popup instead of Windows Defender crashing.\n\nIf you want to build our patches yourself, you can download their source code and build them using 0patch Agent for Developers.\n\n\nWhile this vulnerability has already been automatically fixed on most computers, it turned out to be an interesting learning experience to micropatch it. I hope this post will help future micropatchers jump-start their research.\n\nWhile I was writing this post, the world got pierced by the ",{"url":1159,"meta":1160,"type":12,"children":1162},"https://en.wikipedia.org/wiki/WannaCry_ransomware_attack",[1161],{"id":920,"value":921},[1163],{"type":895,"value":1164},"WannaCry",{"type":895,"value":1166}," ransomware worm exploiting a known vulnerability that had an official patch available for Windows operating systems which Microsoft supported at the time. Many hospitals and other critical infrastructure components were taken offline, partly also because they were stuck with unsupported OSs such as Windows XP. They have very rational and complex reasons for being on such outdated systems in 2017, and undoubtedly they will have similar reasons next year and the year after. One of our goals with 0patch is to provide protection for such end-of-support systems while users scramble to update them (and have the same problem almost immediately afterwards). Defending against modern attackers will require rapid response, and this exercise with CVE-2017-0290 - although likely of low value to users - was an example of building up skills and speed. The world will need a lot of 3rd-party patch developers though, so all existing and prospective security researchers are warmly welcome to join us.\n\n",{"url":1168,"meta":1169,"type":12,"children":1171},"https://twitter.com/mkolsek",[1170],{"id":920,"value":921},[1172],{"type":895,"value":1173},"@mkolsek",{"type":895,"value":900},{"url":699,"meta":1176,"type":12,"children":1178},[1177],{"id":920,"value":921},[1179],{"type":895,"value":1180},"@0patch",{"type":895,"value":1182},"\n\n\n\n\n\n",{"alt":720,"url":1184,"width":1185,"height":1186,"responsiveImage":1187},"https://www.datocms-assets.com/166020/1755779525-windows_defender_working.png",400,281,{"srcSet":1188,"webpSrcSet":1189,"sizes":1190,"src":1191,"width":1192,"height":1193,"aspectRatio":1194,"alt":720,"title":720,"bgColor":1195,"base64":1196},"https://www.datocms-assets.com/166020/1755779525-windows_defender_working.png?auto=compress&crop=focalpoint&dpr=0.25&fit=crop&w=1440 360w,https://www.datocms-assets.com/166020/1755779525-windows_defender_working.png?auto=compress&crop=focalpoint&fit=crop&w=1440 1440w","https://www.datocms-assets.com/166020/1755779525-windows_defender_working.png?auto=compress&crop=focalpoint&dpr=0.25&fit=crop&fm=webp&w=1440 360w,https://www.datocms-assets.com/166020/1755779525-windows_defender_working.png?auto=compress&crop=focalpoint&fit=crop&fm=webp&w=1440 1440w","(max-width: 1440px) 100vw, 1440px","https://www.datocms-assets.com/166020/1755779525-windows_defender_working.png?auto=compress&crop=focalpoint&fit=crop&w=1440",1440,1012,1.4229249011857708,"#0aa32d","data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/2wCEAAoHBwgHBhITEAgTCgoLDhUaDg0NDhENEg0SFxgZGBYTFhUmKCsjGh0oHRUiJTUlKC0vMjIyGSI4PTcwPCsxMi8BCgsLDg0OHBAQHDAoHhwvLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vNS8vLy8vLy8vLy8vLy8vL//AABEIABEAGAMBIgACEQEDEQH/xAAaAAACAgMAAAAAAAAAAAAAAAAABQEEAgMG/8QAHhAAAQMFAQEAAAAAAAAAAAAAAAMEBQECBjIzUTH/xAAWAQEBAQAAAAAAAAAAAAAAAAADAgD/xAAYEQADAQEAAAAAAAAAAAAAAAAAAQMxEf/aAAwDAQACEQMRAD8A7a3FWzuhnXBmXoxZSLZNLYm+Yb1u3JSAUIiiRw5gm3+gXZKUa3o9CRuEOMREjxNNdiAJRlhXf8gABQnp/9k=",1780067938440]