0patch Blog

Micropatches released for Windows Netlogon Remote Code Execution Vulnerability (CVE-2026-41089)

Mon, 25 May 2026 22:00:00 GMT

May 2026 Windows Updates brought a patch for CVE-2026-41089, a remotely exploitable issue on Windows Server acting as a domain controller. Under certain conditions, an unauthenticated attacker in local network could send a malicious request to the server and cause memory corruption - which could potentially be enhanced into arbitrary code execution. The vulnerability was found internally by Microsoft, but the official patch was reverse engineered and turned into a proof-of-concept by Aretiq AI. This, with a bit of our own effort, allowed us to reproduce the issue and create patches for legacy Windows users. The Vulnerability This is a pre-authentication remotely exploitable vulnerability in the Netlogon service on a Windows Server acting as a domain controller. A single carefully crafted UDP packet to the CLDAP DC-locator port (UDP/389) overflows a stack buffer inside the LSASS process, corrupts the memory, and crashes the process. The server reboots about 60 seconds later.

Micropatches released for Windows Shell Link Processing Spoofing Vulnerability (CVE-2026-25185)

Sun, 24 May 2026 22:00:00 GMT

March 2026 Windows Updates brought a patch for CVE-2026-25185, a flaw in Windows Explorer's processing of .LNK files that allowed an attacker to force user's computer to authenticate to a malicious server when the user viewed a shared folder. The vulnerability was found by TrustedSec researcher Christopher Paschen, who also wrote a detailed article and shared a proof-of-concept, which allowed us to reproduce the issue and create patches for legacy Windows users. The Vulnerability Quoting Christopher: "In short, if you have a .lnk with a populated Darwin ExtraData block, and a populated icon environment data block, the system will attempt to open the path pointed to by the icon environment data block. This causes the system to authenticate out to the target, allowing for relay and various credential attacks." Microsoft's Patch Microsoft fixed this by adding two IsTrustedZonePath calls before both PathFileExistsW calls in CShellLink::_UpdateIconFromExpIconSz.

Micropatches released for Windows Accessibility Infrastructure Elevation of Privilege Vulnerability (CVE-2026-24291, CVE-2026-25186, CVE-2026-25187)

Mon, 18 May 2026 22:00:00 GMT

March 2026 Windows Updates brought a patch for three related vulnerabilities, CVE-2026-24291, CVE-2026-25186 and CVE-2026-25187. All three have a common root cause: a local user can create a symbolic link in a registry key associated with their user session, tricking some privileged process into following such link and doing their thing with it - resulting in privilege escalation or information disclosure. The three issues were reported to Microsoft by Google Project Zero security researcher James Forshaw. In addition, after Microsoft has patched these issues, MDSec's Filip Dragovic posted an article revealing they had also known about this issue (dubbed "RegPwn") and were using it in their internal red team engagements. We initially addressed CVE-2026-2429 with our patch, but the patch then turned out to also resolve CVE-2026-25186 and CVE-2026-25187, which is why we're covering all three issues in the same article (and the same patch).

Micropatches released for Windows Telephony Service Elevation of Privilege Vulnerability (CVE-2026-20931)

Tue, 21 Apr 2026 22:00:00 GMT

January 2026 Windows Updates brought a patch for CVE-2026-20931, a privilege escalation in Windows Telephony Service that allowed a remote low-privileged attacker to promote themselves to a service administrator, and then have the service execute their malicious code remotely. The vulnerability was found and reported to Microsoft by Sergey Bliznyuk with Positive Technologies, who also published a detailed technical article that allowed us to reproduce the issue and create patches for legacy Windows users. The Vulnerability In short, the vulnerability is caused by a missing security check to ensure the path the user wants to write to is actually a mailslot path, and not a path on file system. As a result, a local unprivileged user (or a remote one, if so configured) can overwrite any file writable by Network Service with arbitrary content. An obvious candidate for this is Telephone Service's own tsec.ini file, which - among other things - defines service administrators.

Micropatches released for Windows Error Reporting Service Elevation of Privilege Vulnerability (CVE-2026-20817)

Thu, 16 Apr 2026 22:00:00 GMT

January 2026 Windows Updates brought a patch for CVE-2026-20817, a local privilege elevation vulnerability in Windows Error Reporting Service, allowing a local non-admin attacker to execute arbitrary code as Local System user. The vulnerability was found and reported to Microsoft by Denis Faiustov and Ruslan Sayfiev with GMO Cybersecurity by Ierae. Subsequently, security researcher Clément Labro reverse-engineered Microsoft's patch and posted their analysis, accompanied with a proof-of-concept. These allowed us to reproduce the issue and create patches for users of Windows systems that are no longer receiving official Microsoft patches. The Vulnerability The vulnerability is in what seems to be an unneeded SvcElevatedLaunch function that allows any local user to have Windows Error Reporting Service launch WerFault.exe with arbitrary arguments as Local System. Microsoft's Patch Microsoft patched this issue by removing the SvcElevatedLaunch function.

Micropatches released for Windows Shell Security Feature Bypass Vulnerability (CVE-2026-21510)

Mon, 13 Apr 2026 22:00:00 GMT

February 2026 Windows Updates brought a patch for CVE-2026-21510, a security feature bypass in Windows Explorer that allowed a Windows shortcut to launch a remotely hosted DLL without any warning to the user even if mark of the web was present. The vulnerability was found to be exploited in the wild, and a sample was uploaded to malware repositories, which allowed us to reproduce the issue and create patches for legacy Windows users. The Vulnerability Normally, when a user double-clicks a Windows shortcut (LNK) file with the mark-of-the-web or located on an untrusted share, Windows Explorer pops up a security warning about the shortcut's untrusted source. The vulnerability at hand allowed a malicious LNK file, either one copied to the user's computer (thus having the mark-of-the-web) or one located on an untrusted remote share, to bypass this security warning and immediately load and execute a remotely-hosted attacker's DLL. The flaw was specifically in the way the "All Control Panel Items" GUID was processed.

Micropatches released for Windows Storage Elevation of Privilege Vulnerability (CVE-2026-21508)

Mon, 30 Mar 2026 22:00:00 GMT

February 2026 Windows Updates brought a patch for CVE-2026-21508, a local privilege escalation vulnerability in Windows Storage component allowing a low-privileged local user to run arbitrary code as Local System. The vulnerability was found and reported to Microsoft by security researcher Oscar Zanotti Campo. Oscar subsequently published a detailed analysis of the vulnerability and a proof-of-concept, both of which allowed us to reproduce and patch this issue for our users. The Vulnerability This flaw is in the windows.storage.dll module when used by WUDFHost.exe. The WUDFHost.exe process impersonates the user while loading sensitive registry keys from the Classes\CLSID\ path for resolving the target handles. A local attacker can leverage this to get WUDFHost to use their own registry keys and load a malicious DLL, which can then revert the impersonation and run code as Local System. Microsoft's Patch Microsoft's patch forces WUDFHost.

Micropatches released for Arbitrary Registry Key Delete As Local System With Consolidator Scheduled Task (CVE-2025-59512)

Sun, 29 Mar 2026 22:00:00 GMT

November 2025 Windows Updates brought a patch for CVE-2025-59512, a local privilege escalation vulnerability in Customer Experience Improvement Program, allowing a low-privileged Windows user to delete arbitrary registry key as Local System - which can be used for running privileged code at a later time. The vulnerability was found and reported to Microsoft by security researcher Tianlin Zhang. Security researcher Clément Labro subsequently reverse-engineered Microsoft's patch for another vulnerability but also detailed this arbitrary registry key delete issue in their article, which allowed us to reproduce and patch this issue for our users. The Vulnerability The vulnerability is in the way the "Consolidator" scheduled task, part of the Customer Experience Improvement Program on Windows, deletes all registry subkeys under in one of its own registry keys when started. Due to improper permissions on said key, any local user can specify a further subkey that is a symbolic link to another key anywhere else in the registry and run the scheduled task.

Micropatches released for Desktop Windows Manager Elevation of Privilege Vulnerability (CVE-2025-55681)

Sun, 22 Mar 2026 23:00:00 GMT

October 2025 Windows Updates brought a fix for CVE-2025-55681, a local privilege escalation vulnerability in Windows Desktop Manager that allowed a low-privileged attacker to execute malicious code as Local System. The vulnerability was subsequently described in detail by SSD Secure Disclosure, allowing us to reproduce it and create a patch for legacy Windows systems. The Vulnerability The vulnerability is a memory corruption issue, caused by accessing an allocated memory block out of bounds. Microsoft's Patch Microsoft's patch added an out-of-bounds check to the code, which terminates the process in case of violation. This effectively turned the local privilege escalation vulnerability into a denial of service vulnerability, but the assumption is that terminating the Desktop Windows Manager on a computer does not benefit the local attacker. Our Patch Our patch is logically identical to Microsoft's. Micropatch Availability Micropatches were written for the following security-adopted Windows versions: Windows 11 v21H2 - fully updated Windows 10 v21H2 - fully updated Windows 10 v21H1 - fully updated Windows 10 v20H2 - fully updated Windows 10 v2004 - fully updated Windo

Micropatches released for Microsoft Access Remote Code Execution Vulnerability (CVE-2025-62552)

Tue, 17 Mar 2026 23:00:00 GMT

December 2025 Windows Updates brought a patch for CVE-2025-62552, a remote code execution vulnerability in Microsoft Access that could allow a remote attacker to have their malicious code executed on user's computer upon opening a Word file with an Access database connection. The vulnerability was discovered and reported to Microsoft by security researcher Alberto Bruscino. Alberto subsequently published a detailed article, and shared their POC with us, which allowed us to reproduce the vulnerability and create patches for it. The Vulnerability The vulnerability is in the way Microsoft Access creates a database file in an ODBC connection, whereby a malicious Word file with an Access database connection (such as via the "mail merge" functionality) can create an arbitrary Word file in an Office-trusted location, subsequently resulting in attacker's Word macros being executed with user's identity. (See Alberto's article for a detailed process.

Micropatches released for Windows Telephony Service Elevation of Privilege Vulnerability (CVE-2024-43626)

Tue, 10 Feb 2026 23:00:00 GMT

Our new CVE tracking app has been working hard these days, finding things our poor human eyes were unable or too tired to see. In this case, it alerted us about a vulnerability that was described in an article about another vulnerability we had long since patched. CVE-2024-43626, a privilege escalation vulnerability in Windows Telephony Service, was described in an article by Đào Tuấn Linh of Starlabs. The article was primarily about CVE-2024-26230, which we had patched in August 2024, but it also mentioned a related issue CVE-2024-43626, reportedly co-analyzed by Chen Le Qi of Starlabs. While the proof-of-concept was only provided for the "main" vulnerability, we were able to modify it to trigger the secondary one. The Vulnerability The vulnerability is in the way Windows Telephony Service reads some registry value to the memory, whereby such value could be loaded without the trailing zero terminator. Should this happen, a subsequent _wcsupr operation would upper-case a string beyond the end of the buffer - potentially corrupting the memory there in such a way as to lead to arbitrary code execution.

Micropatches released for Microsoft Excel Remote Code Execution Vulnerability (CVE-2025-62203)

Mon, 02 Feb 2026 23:00:00 GMT

November 2025 Windows Updates brought a patch for CVE-2025-62203, a remote code execution vulnerability in Microsoft Excel that could allow a remote attacker to have their malicious code executed on user's computer upon opening an Excel file. The vulnerability was discovered and reported to Microsoft by Quan Jin with DBAPPSecurity The Vulnerability The vulnerability is a use-after-free issue, whereby opening a malicious Excel document results in an already freed memory block being freed again, corrupting the heap. A carefully constructed document could potentially exploit this fact for arbitrary code execution. The attacker would have to convince the user to open their malicious Excel document. Upon opening the document, Excel complains that the document was damaged and offers to recover it; choosing "Yes" to start the recovery process leads to the vulnerability being triggered. Among our security-adopted Office versions, we found this vulnerability to affect not only Office 2016 and 2019 click-to-run, but also Office 2013.

Micropatches Released for Microsoft Office Security Feature Bypass Vulnerability (CVE-2026-21509)

Tue, 27 Jan 2026 23:00:00 GMT

Two days ago, Microsoft released an emergency update for Microsoft Office, resolving CVE-2026-21509, a vulnerability in Office that was found to be exploited in the wild. Microsoft's advisory initially stated that vulnerability details were publicly disclosed, but later reversed that claim. The advisory provided very little information on the vulnerability but it did provide mitigation recommendations for those who can't immediately apply the update. These recommendations indicate the vulnerability relies on the ability to embed a Shell.Explorer.1 OLE object (Windows Class ID {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}) in an Office document. This object is actually an embedded Internet Explorer or Windows Explorer component, and has been an instrument of various exploits and security tricks in the past. Most notably, Yorick Koster wrote a very good article about embedding such objects in Office documents back in 2018, and how double-clicking such embedded object and confirming an (admittedly not too scary-looking) security warning resulted in launching arbitrary executable on user's computer.

Micropatches Released for Credential Security Support Provider Protocol (CredSSP) Elevation of Privilege Vulnerability (CVE-2025-47987)

Mon, 05 Jan 2026 23:00:00 GMT

July 2025 Windows Updates brought a patch for CVE-2025-47987, a privilege escalation vulnerability in Windows Credential Security Support Provider that could allow a local low-privileged attacker to execute arbitrary code as Local System user. The vulnerability was discovered and reported to Microsoft by Erik Egsgard with Field Effect. Subsequently, security researcher Kryptoenix reverse-engineered Microsoft's patch and published a detailed analysis of this vulnerability and shared a proof-of-concept. The Vulnerability The vulnerability is a heap-based buffer overflow that occurs because of a numeric overflow when length of user-supplied data is calculated. The numeric overflow leads to the result being a small number, so the allocated buffer for the user-supplied data ends up being too small for the data. When the data is copied to the buffer, adjacent memory blocks on the heap are overwritten, which in the case of the proof-of-concept (POC) results in memory corruption and crashing of lsass.

Free Micropatches for Windows Remote Access Connection Manager DoS (0day)

Thu, 11 Dec 2025 23:00:00 GMT

[Update 2/10/2026] With February 10, 2026 Windows Updates, Microsoft patched this vulnerability on still-supported affected Windows versions and assigned it CVE-2026-21525. By that time, our users on both supported and legacy Windows versions have had this vulnerability already patched for 60 days. During our investigation of CVE-2025-59230, a Windows Remote Access Connection Manager elevation of privilege vulnerability that was patched by Microsoft with October 2025 Windows updates, we found an exploit for it that nicely demonstrated local arbitrary code execution as Local System when launched as a non-admin Windows user. Interestingly though, this exploit - while exploiting CVE-2025-59230 - also included an exploit for another vulnerability that turned out to have remained unpatched to this day. Let's take a closer look. CVE-2025-59230 is a fairly simple vulnerability, conceptually similar to CVE-2025-49760, which we had recently patched.

Microsoft Silently Patched CVE-2025-9491 - We Think Our Patch Provides More Security

Mon, 01 Dec 2025 23:00:00 GMT

Patching What You See vs. Patching What You Execute Summary: Trend Micro discovered that attackers have long been using a trick to hide what a Windows shortcut actually does, preventing users from seeing malicious commands. Microsoft decided this was not patch-worthy. Others then found this same trick still being exploited, and the issue got a CVE. Microsoft doubled down, but silently patched the issue so that malicious commands can no longer be hidden. We created a different patch that actually blocks discovered attacks. The story - or at least its public part - begins on March 18, 2025, with Trend Micro's publication of Advisory ZDI-25-148 and an associated article titled Windows Shortcut Exploit Abused as Zero-Day in Widespread APT Campaigns. This article by Peter Girnus and Aliakbar Zahravi describes how they observed close to a thousand malicious Windows shortcut (.lnk) files being used in various offensive campaigns dating back to 2017.

Micropatches Released for Windows Installer Elevation of Privilege Vulnerability (CVE-2025-50173)

Wed, 29 Oct 2025 23:00:00 GMT

August 2025 Windows Updates brought a patch for CVE-2025-50173, a privilege escalation vulnerability in Windows Installer that could allow a local low-privileged attacker to execute arbitrary code as Local System user. This vulnerability is really an extension (or bypass, if you will), of CVE-2024-38014, which we had patched a year ago. The Vulnerability The vulnerability was again in the "Repair" operation of Windows Installer, which has been patched many times in the past (see this article for context). Much like before, under certain conditions a non-admin user could perform the repair operation on an installed application and exploit the resulting elevated processes. Microsoft's Patch Microsoft's patch changes the behavior of Windows Installer such that it requires elevation (i.e., admin credentials) when a repair operation is initiated. Our Patch Our patch is logically identical to Microsoft's. Let's see our patch in action.

Welcome to your new family, Windows 10!

Mon, 13 Oct 2025 22:00:00 GMT

Keeping Windows 10 Running Securely for Years to Come Without Breaking your Bank Today is October 14, 2025 - the day of the last free Windows update for Windows 10 22H2. Last free update? Well, Microsoft caved in and gave consumers with Home, Professional, Pro Education, or Workstations edition one free year of Extended Security Updates (ESU), with various meanings of "free". For all business users, however, the time is up: three more years of Extended Security Updates are offered by Microsoft, but their price is $61 for the first year, and it doubles for the second year and again for the third, totaling in $427 for every Windows 10 computer in three years. It is clear Microsoft wants everyone to either upgrade to Windows 11 or pay them a lot of money. With estimated 240 million Windows 10 computers being ineligible for upgrade due to Windows 11 hardware requirements, we're looking at a large number of Windows 10 computers going on without security patches on one hand, and many others ending up in landfill on the other.

Micropatches Released for Windows Storage Spoofing Vulnerability (CVE-2025-49760)

Tue, 07 Oct 2025 22:00:00 GMT

July 2025 Windows Updates brought a patch for CVE-2025-49760, a local privilege escalation vulnerability allowing a local unprivileged attacker to manipulate Windows Storage Service and extract local machine's NTLM credentials. The vulnerability was found and reported to Microsoft by Ron Ben Yizhak with SafeBreach. The Vulnerability The vulnerability allows a low-privileged user on a computer to register Windows Storage Service's RPC endpoint on the RPC Endpoint Mapper before the service manages to register it, resulting in the service subsequently connecting to attacker's process, trusting its responses and allowing it to extract Local System's NTLM credentials. These can then be used against an Active Directory Certificate Service to perform the so-called "ESC8" attack (originally described in this SpecterOps article). Security researcher Ron Ben Yizhak describes the vulnerability in detail in this SafeBreach article. Ron also kindly released a POC that can be used to reproduce the issue.

End Of Security For Microsoft Office 2016 and 2019? Not With 0patch!

Mon, 25 Aug 2025 22:00:00 GMT

Expensive Upgrade is Not Your Only Option: 0patch Will Secure Your Office Apps For Years To Come! Update 1/28/2026] As with previous Office versions, Microsoft is still providing updates for "volume license" Office 2016 and 2019 even though their support officially ended in October 2025. At some point, Microsoft will stop providing these security updates, at which point our security patches will be the only patches for these as well. If you're using volume licensed Office versions, keep applying Microsoft's updates, as our future patches for these will be written for "fully-updated" Office. Much like for Windows 10, this October will also be the last month of Microsoft's official security fixes for Microsoft Office versions 2016 and 2019. The implied narrative goes: if you want to keep using Office securely, you have to throw out your 2016 and 2019 versions - which may work perfectly well for you - and either purchase Office 2024 or subscribe to one of Microsoft 365 plans.

Micropatches Released for Windows Update Service Elevation of Privilege Vulnerability (CVE-2025-48799)

Tue, 12 Aug 2025 11:29:00 GMT

July 2025 Windows Updates brought a patch for CVE-2025-48799, a local privilege elevation vulnerability allowing a local non-administrative attacker to obtain administrative privileges. The vulnerability was found and reported to Microsoft by Filip Dragović. The Vulnerability The vulnerability allows a low privileged user on a computer with at least two hard drives to confuse the Windows Update service into deleting a chosen folder. Arbitrary file or folder deletion can be turned into arbitrary code execution as Local System, as was first shown by Jonas Lykkegård in 2020 using Windows Error Reporting Service, and subsequently also by Abdelhamid Naceri using Windows Installer. Filip kindly released a POC that can be used to reproduce the issue. Microsoft's Patch Microsoft patched this issue by adding a check for symbolic links for the user-supplied path. Our Patch Our patch is logically identical to Microsoft's Let's see our patch in action: Micropatch Availability Micropatches were written for the following security-adopted Windows versions: Windows 11 v21H2 - fully updated Windows 10 v21H2 - fully updated Windows 10 v21H1 - fully updated Windows 10 v20H2 - fully upd

Micropatches Released for Windows Disk Cleanup Tool Elevation of Privilege Vulnerability (CVE-2025-21420)

Thu, 24 Jul 2025 16:39:00 GMT

February 2025 Windows Updates brought a patch for CVE-2025-21420, a local privilege elevation vulnerability allowing a local attacker to execute malicious code in another user's existing session using said user's identity. Microsoft's advisory does not reveal who reported this vulnerability to Microsoft (or whether they had discovered it internally). The Vulnerability Security researcher moiz reverse engineered Microsoft's patch for cleanmgr.exe in February's Windows updates and found that Microsoft had added the ProcessRedirectionTrustPolicy mitigation (a.k.a. Redirection Guard) to the process, which causes the process to ignore symbolic links created by low-privileged users. Based on this information, moiz monitored the behavior of the Disk Cleanup tool when launched and found that it was vulnerable to symbolic link redirection. Placing a symbolic link from a certain file that a low-privileged user can create, to another file that can only be deleted by a high-privileged user, can result in deletion of the latter file when Disk Cleanup's scheduled task is launched.

Micropatches Released for "WSPCoerce" Coerced Authentication via Windows Search Protocol (NO CVE/WONTFIX)

Thu, 10 Jul 2025 21:06:00 GMT

Coerced authentication is any method that allows an attacker to force a target system to authenticate against attacker's computer and reveal its credentials in the process. The most useful form of coerced authentication on Windows is arguably one that forces a remote Windows computer to send its machine (system) account's NTLM credentials to attacker, which can then be relayed to another computer. Microsoft does not consider "coerced authentication" methods vulnerabilities worth fixing and rather suggests several options for mitigating attacks, including disabling NTLM. For various, mostly legacy-related reasons, many large organizations can't implement these options. That is why we at 0patch have decided to provide our own patches for known coerced authentication issues so that both legacy Windows systems like Windows 7 and Server 2008 R2 and the latest Windows 11 and Server 2025 that are using NTLM get to be properly protected. So far we have been providing (and dutifully porting to new versions of executable files) patches for these coerced authentication issues: PetitPotam PrinterBug/SpoolSample and DFSCoerce.

Micropatches Released for WEBDAV Remote Code Execution Vulnerability (CVE-2025-33053)

Mon, 16 Jun 2025 16:20:00 GMT

June 2025 Windows updates brought a fix for CVE-2025-33053, a remote code execution vulnerability that was found to be exploited in the wild. The vulnerability allows a malicious URL file pointing to a legitimate local Windows executable to "sideload" a DLL or EXE from attacker's server on the Internet when opened. Note that while Microsoft titled this issue "WEBDAV Remote Code Execution", the vulnerability can be generally exploited using any SMB network share, including an internal network shared folder. However, since most firewalls and Internet Service Providers block SMB traffic, WebDAV makes for a much more powerful attack scenario as it allows the malicious DLL to be loaded from a server on the Internet right through the firewall. The Vulnerability This vulnerability was detected by Alexandra Gofman and David Driker with Check Point Research, who wrote up a detailed analysis. Windows Internet shortcut files, also called URL files by their .

Micropatches Released for Preauth DoS on Windows Deployment Service (CVE-2025-29957)

Thu, 29 May 2025 13:17:00 GMT

May 2025 Windows updates brought a fix for CVE-2025-29957, a denial of service vulnerability allowing an attacker in the network to easily consume all available memory on a Windows Server with Windows Deployment Service installed. This could lead to said server being unable to provide both Windows deployment services and other services such as network file sharing, printing, or provide other server functionalities based on its configured server roles. The vulnerability was reported to Microsoft by security researchers R4nger & Zhiniang Peng. Microsoft's Patch Microsoft patched this issue by properly freeing allocated memory on each remote session initiation. Our Micropatch Our patch does the exact same thing as Microsoft's. Micropatch Availability Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed: Windows Server 2012 - fully updated without ESU, with ESU 1 Windows Server 2012 R2 - fully updated without ESU, with ESU 1 Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prev

Micropatches Released for Microsoft Management Console Security Feature Bypass Vulnerability (CVE-2025-26633)

Mon, 26 May 2025 12:44:00 GMT

March 2025 Windows updates brought a fix for CVE-2025-26633, a security feature bypass vulnerability in Windows that allows a malicious script to bypass one of the security warnings displayed when opening a Microsoft Console (.msc) file that was loaded from the Internet. The vulnerability was reported to Microsoft by security researcher Aliakbar Zahravi with Trend Micro. Aliakbar also published a detailed analysis of this vulnerability, which allowed us to reproduce the issue and create our own patches for security-adopted Windows versions that are no longer receiving updates from Microsoft. Microsoft's Patch Microsoft patched this issue by preventing users from launching .msc files marked with Mark of the Web (MotW). Our Micropatch Our patch does the exact same thing as Microsoft's. Micropatch Availability Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed: Windows 11 21H2 - fully updated Windows 10 21H2 - fully updated Windows 10 21H1 - fully updated Windows 10 20H2 - fully updated Windows 10 2004 - fully updated Windows 10 1909 - fully updated Windows 10 1809 - fully updated Windows 10 v18

How MSPs Can Handle Windows 10 End of Support with 0patch

Wed, 21 May 2025 15:06:00 GMT

“Patching Windows 10 after end-of-support? Done.” October 14, 2025, is a date that’s probably already circled in red on your Windows 10 clients’ calendars – or at least, it should be. It’s the day Microsoft stops releasing security updates for Windows 10. Yes, it’s the official End of Support (EoS) date, and we all know what that means: a scramble for upgrades, extended support costs. As an MSP, this is both a headache and an opportunity. After all, your clients rely on you to keep their systems secure, compliant, and running smoothly. And if history is any guide, some of them will be clinging to their Windows 10 machines well into 2026 and beyond. So, what’s your move? Why not 0patch? It’s your chance to offer a smarter, more cost-effective alternative to expensive upgrades and risky unpatched systems. Let’s talk about why. Why Your Clients Don’t Want to Upgrade (and Why You Shouldn’t Force Them) Let’s face it, some users just don’t want to give up their trusty Windows 10 machines, and for good reasons.

Micropatches released for SCF File NTLM Hash Disclosure Vulnerability (0day) - and Free Micropatches for it

Tue, 25 Mar 2025 13:44:00 GMT

While patching a SCF File NTLM hash disclosure issue on our security-adopted Windows versions, our researchers discovered a related vulnerability on all Windows Workstation and Server versions from Windows 7 and Server 2008 R2 to the latest Windows 11 v24H2 and Server 2025. The vulnerability allows an attacker to obtain user's NTLM credentials by having the user view a malicious file in Windows Explorer - e.g., by opening a shared folder or USB disk with such file, or viewing the Downloads folder where such file was previously automatically downloaded from attacker's web page. Impact and attack scenarios of this issue are identical to that of a previously discovered 0day in URL files (subsequently patched by Microsoft), although the flaw is different here and to our knowledge not discussed in public before. [Update 04/09/2025] We were informed by George Hughey with MSRC Vulnerabilities & Mitigations that Microsoft recently brought a change to how SCF files are behaving.

Micropatches Released for SCF File NTLM Hash Disclosure Vulnerability (No CVE)

Fri, 07 Mar 2025 15:05:00 GMT

While we're on the subject of NTLM hash leaking vulnerabilities [1][2], we found this widely known issue of the same type that was patched by Microsoft at various points in time but never seemed to have received CVE IDs. The issue is in SCF files with the IconFile property being a network share path like \\\file leaking user's NTLM hash to the network location when the user simply views a folder with such SCF file. This issue has been documented and mentioned many times in the past, but the oldest mention we could find was this article by Bosko Stankovic of DefenseCode written in May 2017. (The DefenseCode domain is no longer active, so the link is to an archived article on the Internet Archive.) The vulnerability has long been patched on Windows 10 machines and Windows Servers 2019 and higher, while Windows 7, Windows 8, and Windows Server 2008-2016 only received a patch in August 2024. Microsoft's Patch Microsoft patched this issue by calling MapUrlToZone to determine the security zone of the icon file, then deciding based on that whether or not to attempt to load the icon.

Analysis of a Flaw in Microsoft's Patch for "copy2pwn" (CVE-2024-38213)

Thu, 13 Feb 2025 10:37:00 GMT

This is a story of a temporarily flawed Microsoft patch. CVE-2024-38213 is a vulnerability that causes files copied from WebDAV shared folders to Windows machine to not have the Mark of the Web (MotW) applied. This results in such files being overly trusted by Windows Explorer, Defender, SmartScreen and possibly other security products, and vulnerabilities like this are being exploited in the wild. The vulnerability was discovered by security researcher Peter Girnus and Simon Zuckerbraun with the ZDI and reported to Microsoft, who provided a patch for it with July 2024 updates. Their advisory was, however, not released until August 2024, which was also when Peter published their detailed analysis. and nicknamed the vulnerability "copy2pwn". We were naturally interested in the vulnerability as it was likely also affecting security-adopted legacy Windows systems for which Microsoft was no longer providing security patches. Our review of Microsoft's patch, however, revealed something interesting: It didn't work.

Micropatches Released for Microsoft Outlook Remote Code Execution Vulnerability (CVE-2025-21357)

Mon, 10 Feb 2025 23:00:00 GMT

January 2025 Windows updates brought a fix for CVE-2025-21357, a remote code execution vulnerability in Microsoft Outlook. This vulnerability allows an attacker with access to the Exchange server with user's credentials to execute arbitrary code on user's computer when the user connects to Exchange with Outlook. The vulnerability was reported to Microsoft by security researchers Jeongmin Choi, JongGeon KIM, Kiyeon Jeong, JunHyuk Im, and SeungYun LEE with bObffice (BOB13th), and Michael Gorelik and Arnold Osipov with Morphisec. Michael Gorelik with Morphisec privately shared details and POC with us,which allowed us to reproduce the issue and create our own patches for security-adopted Outlook versions that are no longer receiving updates from Microsoft. Microsoft's Patch Microsoft patched this issue by initializing a previously uninitialized variable in the affected data structure to 0, preventing a previously possible invalid pointer dereference.

Micropatches Released for Active Directory Certificate Services Elevation of Privilege Vulnerability (CVE-2024-49019)

Fri, 07 Feb 2025 17:30:00 GMT

November 2024 Windows updates brought a fix for CVE-2024-49019, a privilege escalation vulnerability allowing, under specific conditions, a domain user to create a certificate for another domain user, e.g., domain administrator - and then use it for logging in as that user. The vulnerability was reported to Microsoft by security researchers Lou Scicchitano, Scot Berner, and Justin Bollinger with TrustedSec. Justin then published a detailed article on this vulnerability,which allowed us to reproduce the issue and create our own patches for security-adopted Windows versions that are no longer receiving updates from Microsoft. Microsoft's Patch Microsoft patched this by adding a new function call that disables the Extended Key Usage attribute. Our Micropatch Our patch performs the same operation with additional optimizations to logic and code flow. Micropatch Availability Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed: Windows Server 2008 R2 - - fully updated without ESU, with ESU 1, ESU 2, ESU 3 or ESU 4 Windows Server 2012 - fully updated without ESU, with ESU 1 Windows Server 2012 R2 - fully

Micropatches Released for Windows OLE Remote Code Execution (CVE-2025-21298)

Fri, 07 Feb 2025 14:03:00 GMT

January 2025 Windows updates brought a fix for CVE-2025-21298, a memory corruption issue in Windows OLE data processing that can be exploited by a malicious Word document or a malicious email read in Outlook to execute arbitrary code on user's computer. (Probably also in multiple other ways, but these would be the obvious attack scenarios.) The vulnerability was reported to Microsoft by security researchers Jmini, Rotiple, D4m0n with Trend Micro Zero Day Initiative. Subsequently, security researcher Miloš published their analysis and POC of this vulnerability,which allowed us to reproduce the issue and create our own patches for security-adopted Windows versions that are no longer receiving updates from Microsoft. Microsoft's Patch The root cause of this issue is in function UtOlePresStmToContentsStm free'ing a stream object, but then storing the just free'd pointer which subsequently gets used again. Microsoft patched this issue by overwriting the free's stream pointer with NULL, preventing its subsequent use.

Micropatches Released for NTLM Hash Disclosure Spoofing Vulnerability (CVE-2024-43451)

Mon, 03 Feb 2025 23:40:00 GMT

November 2024 Windows updates brought a fix for CVE-2024-43451, an NTLM hash disclosure vulnerability that allows an attacker to obtain user's Net-NTLM hash when the user right-clicks, deletes or moves a malicious .url file to another folder. The vulnerability was reported to Microsoft by Israel Yeshurun with ClearSky Cyber Security, who subsequently also published a detailed report. The report allowed us to reproduce the issue and create our own patches for security-adopted Windows versions that are no longer receiving updates from Microsoft. Microsoft's Patch Microsoft patched this issue by replacing the IECreateFromPathCPWithBCW function with a new version that has an updated check for network paths. Multiple new tests are performed including calls to MapUrlToZone and IsFileURLW. They also added checks for special characters in the path, but all these additional checks were done to exclude some network paths (which Microsoft deemed legitimate) from being blocked.

Micropatches Released for Windows Task Scheduler Elevation of Privilege Vulnerability (CVE-2024-49039)

Mon, 03 Feb 2025 23:00:00 GMT

November 2024 Windows updates brought a fix for CVE-2024-49039, a local privilege escalation issue allowing low-integrity code running on the computer to execute arbitrary medium-integrity code as the same user. This can be useful for escaping low-integrity sandboxes such as those in modern web browsers (such as Mozilla Firefox) and document readers. In short: if you are malicious code executed with low integrity, you create a scheduled task to be executed as you, then Task Scheduler executes this task with default (medium) integrity. Sandbox escaped. The vulnerability was reported to Microsoft by the Mozilla Security Team, and by Vlad Stolyarov and Bahare Sabouri of Google's Threat Analysis Group. Subsequently, security researcher je5442804 published their analysis and POC of this vulnerability,which allowed us to reproduce the issue and create our own patches for security-adopted Windows versions that are no longer receiving updates from Microsoft.

Micropatches Released for Windows "LDAPNightmare" Denial of Service Vulnerability (CVE-2024-49113)

Mon, 13 Jan 2025 23:00:00 GMT

December 2024 Windows Updates brought a patch for CVE-2024-49113 a.k.a. "LDAPNightmare", a denial of service vulnerability in Windows LDAP client code. The vulnerability allows an attacker to crash the LDAP client process after coercing it to connect to their malicious LDAP server; if the client process happens to be an important Windows service such as lsass.exe, its crashing would lead to computer reboot. The vulnerability was discovered and reported to Microsoft by security researcher Yuki Chen. After Microsoft's patch was issued, researchers Or Yair and Shahak Morag of SafeBreach reversed it, recreated a proof of concept, and issued a detailed analysis. These allowed us to reproduce the issue and create our own patches for it for security-adopted Windows versions that are no longer receiving updates from Microsoft. The Vulnerability The vulnerability allows a malicious LDAP server to cause an out-of-bounds read operation in the memory space of the client process on the remote computer when processing LDAP referral data.

URL File NTLM Hash Disclosure Vulnerability (initially 0day, now CVE-2025-21377) - and Free Micropatches for it

Thu, 05 Dec 2024 22:47:00 GMT

Update 2/11/2025: February 2025 Windows Updates fixed the 0day mentioned here and assigned it CVE-2025-21377. 0patch users had this issue patched for 68 days before official vendor fix became available. Our researchers discovered a vulnerability on all Windows Workstation and Server versions from Windows 7 and Server 2008 R2 to the latest Windows 11 v24H2 and Server 2022. The vulnerability allows an attacker to obtain user's NTLM credentials by simply having the user view a malicious file in Windows Explorer - e.g., by opening a shared folder or USB disk with such file, or viewing the Downloads folder where such file was previously automatically downloaded from attacker's web page. We reported this issue to Microsoft, and - as usual - issued micropatches for it that will remain free until Microsoft has provided an official fix. We are withholding details on this vulnerability until Microsoft's fix becomes available to minimize the risk of malicious exploitation.

Windows Server 2012 Mark of the Web Vulnerability (0day, now CVE-2025-27472) - and Free Micropatches for it

Thu, 28 Nov 2024 23:34:00 GMT

[Update April 14, 2025] April 2025 Windows Updates brought a fix for this issue on Windows Server 2012 R2 and assigned it CVE-2025-27472. However, the same updates not only did not fix this issue on Windows Server 2012 but rather broke another security measure that was working before. We reported this to Microsoft and will not reveal details until they have fixed their flawed fix. (Of course we also issued a micropatch to correct the flawed fix.) On Windows Server 2012 R2, users with 0patch have had this issue patched for 131 days before receiving an official fix by Microsoft, even if subscribed to Extended Security Updates. [Update May 13,2025] May 2025 Windows Updates finally fixed the issue on Windows Server 2012 as well. On Windows Server 2012, therefore, users with 0patch have had this issue patched for 171 days before receiving an official fix by Microsoft, even if subscribed to Extended Security Updates. Our researchers discovered a previously unknown vulnerability on Windows Server 2012 and Server 2012 R2 that allows an attacker to bypass a security check otherwise enforced by Mark of the Web on certain types of files.

Micropatches for "LNK Stomping" Windows Mark of the Web Security Feature Bypass (CVE-2024-38217)

Thu, 28 Nov 2024 22:44:00 GMT

September 2024 Windows Updates brought a patch for CVE-2024-38217 a.k.a. "LNK Stomping", a security bypass vulnerability allowing an attacker to prevent the "Mark of the Web" (MotW) being applied to a downloaded malicious file. The vulnerability was reported by security researcher Joe Desimone with Elastic Security, who published a detailed analysis and shared a proof-of-concept. This allowed us to reproduce the issue and issue our own patches for it for various security-adopted Windows versions that are no longer receiving updates from Microsoft. The Vulnerability Any downloaded file should get a Mark of the Web (a label in its alternate data stream marking its untrusted origin) and this also goes for LNK (Windows shortcut) files. A LNK file points to an executable file with optional parameters, such as powershell.exe or cmd.exe, which gets executed with optional command-line arguments when a user double-clicks the shortcut. However, when a LNK file points to an executable file ending with some additional character (e.

Fixing a Bunch of Scripting Engine Vulnerabilities by Disabling Just-In-Time Compiler (CVE-2024-38178)

Mon, 18 Nov 2024 17:37:00 GMT

August 2024 Windows Updates brought a patch for CVE-2024-38178, a remotely exploitable memory corruption issue in "legacy" Scripting Engine (JScript9.dll). This engine, while part of long-expired Internet Explorer, is still present on all Windows computers and can be invoked via various mechanisms, for instance from an Office document. Subsequently, security researchers Hosu Choi and Minyeop Choi of S2W Talon published a detailed article, which included a short proof-of-concept script, allowing us to reproduce the issue and issue our own patches for it. The Vulnerability This is yet another vulnerability in JScript9.dll's Just-in-Time (JIT) compiler. We've patched these kinds of issues in JScript9 JIT before (CVE-2021-34480, CVE-2022-41128), and this issue is actually just a bypass for the latter's patch. In a similar way as with CVE-2022-41128, exploitation is done by malicious JavaScript code rendered by JScript9.dll, which first forces Scripting Engine to switch to JIT by executing a very long loop, thereby triggering JIT optimization.

Micropatches Released for Remote Registry Service Elevation of Privilege Vulnerability (CVE-2024-43532)

Tue, 12 Nov 2024 14:58:00 GMT

October 2024 Windows Updates brought a patch for CVE-2024-43532, a vulnerability in Windows Remote Registry Service that could allow an attacker with access to network communication between administrator's computer and computer under remote administration to hijack the network connection and obtain administrator's credentials. These could then be relayed to another server, for instance an Active Directory Certificate Server, and used for creating a new certificate for subsequent authentication. Note that the official title of this issue ("Remote Registry Service Elevation of Privilege Vulnerability") is incorrect, as the vulnerability is not in the Remote Registry Service but rather in the remote registry client code, i.e., in the component that remotely connects to the Remote Registry Service on another computer. We're reluctantly keeping this title to avoid the risk of anyone thinking these are two separate issues. Security researcher Stiv Kupchik of Akamai found this vulnerability and reported it to Microsoft.

We Patched CVE-2024-38030, Found Another Windows Themes Spoofing Vulnerability (initially 0day, now CVE-2025-21308)

Tue, 29 Oct 2024 10:06:00 GMT

[Update 1/14/2025] January 2025 Windows Updates fixed the 0day mentioned here and assigned it CVE-2025-21308. 0patch users had this issue patched for 77 days before official vendor fix became available. TL;DR: While patching CVE-2024-38030, we found another similar issue, reported it to Microsoft and created free micropatches for 0patch users on both legacy and still-supported Windows versions so they don't have to wait for an official patch. When last year Akamai security researcher Tomer Peled decided to look into Windows themes files, they found that when a theme file specified a network file path for some of the theme properties (specifically BrandImage and Wallpaper), Windows would automatically send authenticated network requests to remote hosts, including user's NTLM credentials when such theme file would be viewed in Windows Explorer. This meant that merely seeing a malicious theme file listed in a folder or placed on the desktop would be enough for leaking user's credentials without any additional user action.

Micropatches for Windows Installer Elevation of Privilege Vulnerability (CVE-2024-38014)

Wed, 02 Oct 2024 16:35:00 GMT

September 2024 Windows Updates brought a patch for CVE-2024-38014, a privilege escalation vulnerability in Windows Installer that could allow a local low-privileged attacker to execute arbitrary code as Local System user. Security researcher Michael Baer with SEC Consult Vulnerability Lab found this vulnerability and reported it to Microsoft. Subsequently they also published an article detailing this vulnerability, which allowed us to create a micropatch for it. The Vulnerability This vulnerability is an addition to a series of Windows Installer security flaws that were found over the last few years (and patched by 0patch: [1, 2, 3, 4]). Most of these exploited the "repair" operation in one way or another, and so does this one. Its exploitability depends on a product being installed on the computer, whereby product's installer has to fulfill a number of conditions described in SEC Consult's article. This vulnerability finally pushed Microsoft to create a patch that fixed not just this particular issue, but a whole class of issues that might result from non-admin users invoking the repair operation.

Micropatches for "MadLicense" Windows Remote Desktop Licensing Service Remote Code Execution (CVE-2024-38077)

Thu, 19 Sep 2024 16:23:00 GMT

July 2024 Windows Updates brought a patch for CVE-2024-38077, a memory corruption vulnerability in Remote Desktop Licensing Service that could potentially allow an attacker in a Windows network to remotely execute arbitrary code on a computer running this service. Security researchers Lewis Lee, Chunyang Han and Zhiniang Peng found this vulnerability and reported it to Microsoft. On August 9 they also published an article (subsequently deleted) with some details about this vulnerability and an incomplete pseudo-code POC. We had confirmed that said POC was not working as-is but combining various sources, we were able to create our own working POC. The Vulnerability The vulnerability resides in the Remote Desktop Licensing Service, a service only running on Windows Servers and not installed by default: one has to add the "Remote Desktop Licensing" role to have it installed. The flaw is in a fixed-size buffer being used for user-supplied data, which can result in a buffer overflow.

Patches for two Windows Bluetooth Vulnerabilities (CVE-2023-23388, CVE-2023-24871)

Mon, 29 Jul 2024 14:49:00 GMT

March 2023 Windows updated brought patches for two Windows Bluetooth vulnerabilities: CVE-2023-23388, a Windows Bluetooth Driver Elevation of Privilege Vulnerability, and CVE-2023-24871, a Windows Bluetooth Service Remote Code Execution Vulnerability. Both were reported to Microsoft by security researcher Miloš (a.k.a. goodbyeselene). Miloš subsequently wrote a series of detailed articles and published POCs for these issues (POC 1, POC 2). These allowed us to reproduce both issues and create micropatches for affected legacy Windows systems, which are no longer receiving security updates from Microsoft. Windows Bluetooth Service Remote Code Execution Vulnerability (CVE-2023-24871) This is a vulnerability inside of Microsoft's Low Energy Bluetooth implementation. The Windows.Internal.Bluetooth.dll library implements parsing and processing of Bluetooth data received locally or remotely. Bluetooth Low Energy implements a functionality called "Advertising" which, without going into too much detail, is a way of sending data packets to all participants.

Micropatches Released for Windows MSHTML Platform Spoofing (CVE-2024-38112)

Mon, 22 Jul 2024 22:00:00 GMT

July 2024 Windows Updates brought a patch for CVE-2024-38112, a vulnerability in Windows that allows an attacker to create a Windows Internet Shortcut file (extension .url) that will look exactly like a PDF document, while clicking on it opens attacker's web page in Internet Explorer. The problem there is that Internet Explorer, which is still present on Windows computers and integrated into many applications, is easier to exploit as it has no real sandbox. This issue was reported to Microsoft by Haifei Li with Check Point Research, whose researchers noticed it being used by threat actors. Haifei later wrote an article detailing the vulnerability, demonstrating how a malicious executable could be executed using this trick. In addition, exploitation of the same issue was also detected in the wild by Trend Micro; they, too, reported it to Microsoft. Microsoft patched this by deleting a small piece of code from ieframe.dll which allowed for Internet Explorer to be launched via a URL file.

Long Live Windows 10... With 0patch

Thu, 27 Jun 2024 10:01:00 GMT

End of Windows 10 Support Looming? Don't Worry, 0patch Will Keep You Secure For Years To Come! October 2025 will be a bad month for many Windows users. That's when Windows 10 will receive their last free security update from Microsoft, and the only "free" way to keep Windows using securely will be to upgrade to Windows 11. Now, many of us don't want to, or simply can't, upgrade to Windows 11. We don't want to because we got used to Windows 10 user interface and we have no desire to search where some button has been moved to and why the app that we were using every day is no longer there, while the system we have is already doing everything we need. We don't want to because of increasing enshittification including bloatware, Start Menu ads, and serious privacy issues. We don't want to have an automated integrated screenshot- and key-logging feature constantly recording our activity on the computer. We may have applications that don't work on Windows 11.

Micropatches For Microsoft Outlook Remote Code Execution Vulnerability (CVE-2024-21378)

Mon, 24 Jun 2024 13:44:00 GMT

In February 2024, Microsoft released a patch for CVE-2024-21378, a vulnerability in Microsoft Outlook that allowed an attacker to execute arbitrary code on user's computer when the user opened a malicious email. The vulnerability was reported by Nick Landers with NetSPI. A month later, NetSPI published an analysis that detailed this vulnerability and provided a proof-of-concept to demonstrate how an attacker could exploit an Exchange server to achieve arbitrary code execution. The Vulnerability The vulnerability affects Outlook custom forms. These forms provide advanced users with a way to modify existing form templates (email, appointment, note, etc.) or create new ones from scratch. Long story short, a malicious Outlook form could be installed on an Exchange server and automatically downloaded to user's Outlook by a carefully crafted email message. Upon downloading, the malicious form would register a DLL downloaded with the form as an in-process server to achieve its automatic execution.

Micropatch Released for Windows Authentication Elevation of Privilege Vulnerability (CVE-2023-36047)

Thu, 30 May 2024 13:45:00 GMT

We have just released a micropatch for CVE-2023-36047, a local privilege escalation vulnerability found by Filip Dragović in the way Windows handle files when a user changes their account picture. Filip discovered that on Windows 11, when you change your account picture, this picture is copied to a destination folder by a privileged process (the "User Manager" service). Since this folder is under user's control, they can set up symbolic links to "redirect" the copying to an arbitrary location. This allowed a local unprivileged attacker to copy a malicious DLL to a folder like C:\Windows\System32, where they would normally not be able to create files. Adding a malicious DLL file to a system folder can lead to execution of attacker's code with the identity of Local System. Filip published a POC for this issue, which allowed us to create a micropatch. Our Micropatch We patched this issue in the same way Microsoft did, by impersonating the calling user instead of allowing to execute the copy operation as Local System.

Micropatches Released for Windows MSHTML Platform Remote Code Execution Vulnerability (CVE-2023-35628)

Thu, 25 Apr 2024 16:42:00 GMT

December 2023 Windows Updates brought a patch for CVE-2023-35628, a memory corruption vulnerability that could potentially lead to remote code execution when an application on user's computer tried to access a URL provided by an attacker. Security researcher Ben Barnea of Akamai, who found this vulnerability and reported it to Microsoft, wrote a detailed article and published a simple and effective POC. These allowed us to reproduce the issue and create a micropatch for affected legacy Windows systems, which are no longer receiving security updates from Microsoft. The Vulnerability The vulnerability resides inside the CrackUrlFile function in iertutil.dll. In July 2023, Microsoft added some code to this function that introduced the vulnerability, whereby a heap free operation is made on an invalid pointer when the provided URL is properly formatted as described in Ben's article. CrackUrlFile is a fairly generic function and can be used by various processes and applications.

Micropatches Released for Windows Workstation and Server Service Elevation of Privilege Vulnerability (CVE-2022-38034, CVE-2022-38045, No CVE)

Tue, 23 Apr 2024 22:00:00 GMT

October 2022 Windows Update brought fixes for two interesting vulnerabilities, CVE-2022-38034 and CVE-2022-38045. They allowed a remote attacker to access various "local-only" RPC functions in Windows Workstation and Windows Server services respectively, bypassing these services' RPC security callbacks. These vulnerabilities were found by Ben Barnea and Stiv Kupchik of Akamai who published a detailed article and provided a proof-of-concept tool. We missed this publication back in 2022 (probably being busy patching some other vulnerabilities), but once we found it we confirmed that some of the legacy Windows versions that we had security-adopted were affected and decided to provide patches for them. The Vulnerability The vulnerability stems from the fact that older Windows systems, but also current Windows systems with less than 3.5GB of RAM, pack two or more services into the same svchost.exe process. Apparently this can be a problem; in our case, it enables both Workstation and Server Service - which normally don't accept authentication requests - to accept authentication requests when bundled up with another service that does.

Micropatches for Windows Local Session Manager Elevation of Privilege (CVE-2023-21771)

Thu, 04 Apr 2024 13:41:00 GMT

In December of 2022, Ben Barnea of Akamai posted an X thread about a bug they had found in Windows Local Service Manager (LSM) that can lead to local privilege escalation from regular user account to Local System. Ben discovered that code in LSM was missing a return value check after a call is made to RpcImpersonateClient to impersonate the caller: a failed impersonation attempt would therefore keep the code running as Local System. After trying out several ideas to make the RpcImpersonateClient function fail, Ben succeeded with an interesting race condition trick, changing the caller's token after the call has been accepted by LSM, but before the impersonation is attempted. Microsoft assigned this issue CVE-2023-21771, and issued a fix for it with January 2023 Windows Updates. Ben's X thread and proof of concept allowed us to reproduce the issue and create a micropatch for users of legacy Windows systems, which are no longer receiving security updates from Microsoft.

Micropatches for Leaking NTLM Credentials Through Windows Themes (CVE-2024-21320)

Tue, 02 Apr 2024 14:08:00 GMT

January 2024 Windows Updates brought a patch for CVE-2024-21320, a privilege escalation vulnerability in Windows. The vulnerability allows a remote attacker to acquire user's NTLM credentials when the victim simply downloads a Theme file or views such file in a network folder. Security researcher Tomer Peled of Akamai discovered this issue, reported it to Microsoft, and later published a detailed article along with a proof of concept. These allowed us to reproduce the issue and create a micropatch for users of legacy Windows systems, which are no longer receiving security updates from Microsoft. The Vulnerability In short, the Theme file format allows a .theme file to specify two images, BrandImage and Wallpaper, which can also be on a remote network share and which Windows Explorer will automatically try to load when a Theme file is downloaded or displayed in a folder. A malicious Theme file could have these images point to a shared folder on attacker's computer, where user's NTLM credentials would be harvested and used for impersonating the user.

Micropatches Released for Microsoft Outlook "MonikerLink" Remote Code Execution Vulnerability (CVE-2024-21413, CVE-2024-38021)

Thu, 14 Mar 2024 23:00:00 GMT

Update 7/31/2024: Additional exploitation variants for this vulnerability were subsequently discovered. Consequently, original micropatches were revoked and new micropatches issued to cover these new variants. Update 8/19/2024: The additional exploitation variants that we had already patched were published by Morphisec researchers Arnold Osipov, Michael Gorelik, and Shmuel Uzan, and the issue was assigned CVE-2024-38021. In February 2024, still-Supported Microsoft Outlook versions got an official patch for CVE-2024-21413, a vulnerability that allowed an attacker to execute arbitrary code on user's computer when the user opened a malicious hyperlink in attacker's email. The vulnerability was discovered by Haifei Li of Check Point Research, who also wrote a detailed analysis. Haifei reported it as a bypass for an existing security mechanism, whereby Outlook refuses to open a file from a shared folder on the Internet (which could expose user's NTLM credentials in the process).

Micropatches Released for Microsoft Outlook Information Disclosure Vulnerability (CVE-2023-35636)

Fri, 23 Feb 2024 13:51:00 GMT

In December 2023, still-Supported Microsoft Outlook versions got an official patch for CVE-2023-35636, a vulnerability that allowed an attacker to coerce user's Outlook to authenticate to attacker's remote server, revealing user's NTLM hash in the process. The vulnerability was discovered by Varonis researcher Dolev Taler, who wrote up a detailed article about it. In summary, a calendar file attached to an email can point to any URL, including a UNC path on a remote computer - and when the user tried to open such file, their computer would connect to the remote network share and, upon request, authenticate to it and reveal user's NTLM hash. Microsoft's December patch changed Outlook's behavior such that whenever an ICS (calendar) file is opened from a specified location (instead of as an attachment), Outlook would display a security warning alerting the user about the potentially harmful content and asking their approval to continue. While still-supported Microsoft Office versions have received the official vendor fix for this vulnerability, Office 2010 and 2013 - which we have security-adopted - are also vulnerable.

Micropacthes For "OverLog", Remote Denial of Service Vulnerability in Windows Event Log Service (CVE-2022-37981)

Mon, 19 Feb 2024 17:38:00 GMT

We recently delivered patches for the "LogCrusher" vulnerability that allows an attacker to remotely crash Windows Event Log service on some older Windows systems that we have security-adopted. Varonis researcher Dolev Taler, who found and reported that issue to Microsoft, also found another related issue they called "OverLog" (described in the same article). OverLog allows a remote attacker to backup Internet Explorer logs to a chosen location on the remote computer, which can lead to all disk space being consumed. OverLog was officially patched by Microsoft in October 2022 and assigned CVE-2022-37981. Analysis This one was a bit tougher to crack as the flaw is a missing privilege check in the server-side BackupEventLog function. As stated by Varonis and Microsoft in their official documentation, the BackupEventLog function allegedly checks if the calling user possesses the SE_BACKUP_NAME/SeBackupPrivilege privilege, and errors out if they don't.

Micropatches For Another Remote Windows Event Log Denial Of Service ("LogCrusher", no CVE)

Fri, 09 Feb 2024 18:00:00 GMT

While recently patching the (still 0day) "EventLogCrasher" vulnerability, we came across another similar vulnerability published in January 2023 by Dolev Taler, a security researcher at Varonis. Dolev's article details two Windows Event Log-related vulnerabilities they had reported to Microsoft in May 2022: one ("LogCrusher") allowing a remote attacker to crash the Event Log service on any computer in a Windows domain, and the other ("OverLog") allowing for remotely filling up the disk on any domain computer by misusing a log backup function. Both vulnerabilities were targeting the Internet Explorer log that had permissions set such that any domain user could access it remotely. Dolev's article states that OverLog was officially patched by Microsoft in October 2022 and assigned CVE-2022-37981, while the fate of LogCrusher remained unclear. Interestingly though, the title of Microsoft's advisory was "Windows Event Logging Service Denial of Service Vulnerability", which would match LogCrusher more than OverLog.

Micropatches Released For Microsoft Windows XAML diagnostics API Elevation of Privilege (CVE-2023-36003)

Mon, 05 Feb 2024 23:00:00 GMT

December 2023 Windows Updates brought a patch for CVE-2023-36003, a privilege escalation vulnerability in Microsoft Windows XAML diagnostics API. The vulnerability allows a low-privileged Windows process to execute arbitrary code in a higher-privileged process running in the same user session, and is therefore useful for elevating from a non-admin to admin user. Security researcher Michael Maltsev, who found this vulnerability and reported it to Microsoft in July 2023, wrote a detailed article and published a POC. These allowed us to reproduce the issue and create a micropatch for users of legacy Windows systems, which are no longer receiving security updates from Microsoft. Our Micropatch As Michael has already noted, there were two changes in the December version of Windows.UI.Xaml.dll, but only one seems to be related to this issue: namely the one that sets the security descriptor of the process's XAML diagnostics API interface to the current process's integrity level.

The "EventLogCrasher" 0day For Remotely Disabling Windows Event Log, And a Free Micropatch For It

Wed, 31 Jan 2024 14:57:00 GMT

Update 2/14/2024: February Windows Updates did not patch this issue, so it remains a 0day. We did have to re-issue patches for three Windows versions because the updates changed wevtsvc.dll and patches had to be ported to the new versions. Update 3/14/2024: March Windows Updates did not patch this issue, so it remains a 0day. We did have to re-issue our patch for Windows Server 2022 because the update changed wevtsvc.dll and our patch had to be ported to the new DLL. Update 4/10/2024: April Windows Updates did not patch this issue, so it remains a 0day (now 70 days without an official fix). Update 5/16/2024: May Windows Updates did not patch this issue, so it remains a 0day (now 106 days without an official fix). We did have to re-issue our patch for several Windows versions because updates changed wevtsvc.dll and our patch had to be ported to new DLLs. Update 7/9/2024: Neither June nor July Windows Updates patched this issue, so it remains a 0day (now 6 months without an official fix).

Free Micropatches For Microsoft Access Forced Authentication Through Firewall (0day)

Sat, 25 Nov 2023 00:28:00 GMT

Update 2/14/2024: Either January 30 or February 1 Office update brought a fix for this issue: now, Access warns the user for any ODBC connection to SQL Server. Our patch only shows a warning when such connection is made on non-standard ports 80 or 443, because these would carry user's NTLM hash through a company firewall, so Microsoft's patch might display more - in our view unnecessary - warnings. So what CVE ID did this issue get? Well, it doesn't seem to have gotten one: neither January 30 nor February 1 Office update mention any changes in Access, and February Windows Updates also have no suitable match. So far, this issue seems to have been fixed silently. With official patch available, our patches for this issue are no longer FREE and require a PRO or Enterprise license. Our patch was available 66 days before Microsoft's. On November 9, 2023, Check Point Research published an article about an "information disclosure" / "forced authentication" vulnerability in Microsoft Access that allows an attacker to obtain the victim's NTLM hash by having them open a Microsoft Office document (docx, rtf, accdb, etc.

We Patched CVE-2023-28244 Before It Was Cool

Thu, 16 Nov 2023 17:53:00 GMT

How Our Patch For CVE-2022-33647 Fixed CVE-2023-28244 Five Months In Advance By Blaz Satler of 0patch Team The Initial Vulnerability - CVE-2022-33647 In September 2022, Microsoft released patches for CVE-2022-33647, a Kerberos vulnerability that allows a MITM (Man-In-The-Middle) attacker to hijack a user's Kerberos ticket and achieve domain privilege escalation. James Forshaw of Google Project Zero was attributed with the discovery of this issue, and shortly after the issue was fixed also published a writeup on the official Project Zero bug tracking page. James also forked a branch of GhostPacks Rubeus tool and added a sample POC (Proof-of-Concept) code that demonstrated this issue in action and allowed users to check if their KDC (Key Distribution Center) was affected. Testing revealed that this issue affected all Kerberos versions that have not configured any restrictions for the use of old cryptographic algorithms, specifically RC4-MD4.

Micropatches Released For Microsoft WordPad Information Disclosure (CVE-2023-36563)

Thu, 09 Nov 2023 23:00:00 GMT

October 2023 Windows Updates brought a patch for CVE-2023-36563, an "Information Disclosure" vulnerability in WordPad that was found by Microsoft Threat Intelligence as being exploited in the wild. A better name for this vulnerability would be "Coerced authentication" or "Forced authentication", as it falls in the same class of vulnerabilities as various similar issues that we've patched before. In any case, the vulnerability allows an attacker to create a Rich Text Format (RTF) document which, when opened by the victim in WordPad*, sends user's NTLM hash to attacker's server - where the attacker can receive it and send it to some other NTLM-enabled service in victim's network to impersonate the victim. (* WordPad is the default application for RTF files when Office is not installed.) While WordPad warns the user that the document contains potentially harmful remote content, and the user can choose to block such content, WordPad sends out user's NTLM hash before showing this warning - which is a bit out of order, so to speak.

Micropatches Released For Microsoft Office Security Feature Bypass (CVE-2023-33150) - Plus a Small 0day

Mon, 23 Oct 2023 22:00:00 GMT

In July 2023, Microsoft released a patch for CVE-2023-33150, a vulnerability in Microsoft Office that allowed an attacker to create a malicious Word document which would not open in Protected View even though it had the Mark-of-the-Web ("MotW") set. The first public detail about this vulnerability came from security researcher Eduardo B. Prado, noting that adding a non-breaking space character to the end of a Word document's extension prevents Word from opening the document in Protected View. Subsequently, Will Dormann published his own research. Will noticed that in the process of opening a file with a non-breaking space in the extension, Word at some point - after normalizing the file path - tried to find the Mark-of-the-Web in a file without the non-breaking space, and failed because no such file existed. Using a flawed logic "no file, no Mark-of-the-Web", Word then decided that it was safe to open the document without Protected View.

0patch Security-Adopts Windows 11 v21H2 Home and Pro to Keep it Running Securely

Wed, 18 Oct 2023 15:10:00 GMT

This October brought the last security updates for Windows 11 version 21H2 Home and Pro versions. Windows 11 require a Trusted Platform Module (TPM) 2.0 to be present on the computer, but for some time, it was possible to install Windows 11 version 21H2 without TPM. Many users have done that and now that this version went out of support, they cannot upgrade to Windows 11 v22H2, and thus cannot receive future security fixes. While many modern CPU versions are supported by Windows 11, computers with unsupported CPU versions are still happily doing their work in large numbers around the World. To keep these computers secure, we security-adopted Windows 11 v21H2 and will provide critical security patches for it from this month on, for at least one year (and longer if there is sufficient demand). We have previously security-adopted many other Windows versions, including Windows Server 2012, which has also reached its end of support this month.

Micropatches Released For Two Windows CNG Key Isolation Service Vulnerabilities (CVE-2023-28229, CVE-2023-36906)

Mon, 09 Oct 2023 17:18:00 GMT

Last month, security researcher @k0shl of Cyber Kunlun published a proof-of-concept for CVE-2023-28229, an elevation of privilege vulnerability in CNG Key Isolation Service. The same POC also demonstrated exploitation of CVE-2023-36906, an information disclosure vulnerability in the same service discovered by the same researcher. Microsoft had previously provided fixes for these issues in April and August 2023, respectively. According to CISA, CVE-2023-28229 was found to be exploited in the wild. CVE-2023-28229 This bug is a race condition in the Key Isolation service running in lsass.exe that allows an attacker to use already-freed memory inside a structure. Its root cause is flawed critical section management that protects heap-based data structures from concurrent access but for some reason excludes reference counter initializations and updates. When a user spawns many concurrent threads that call SrvCryptCreatePersistedKey and SrvCryptFreeKey, these threads eventually cause the execution of said functions such that a key data structure is freed in one thread but then still used in another thread by calling the structure destructor method from already deallocated vftable.

Micropatches Released For Windows Error Reporting Service Elevation of Privilege (CVE-2023-36874)

Wed, 13 Sep 2023 15:39:00 GMT

With July 2023 Windows Updates, Microsoft brought a fix for CVE-2023-36874, a local privilege escalation vulnerability in Windows Error Reporting Service that was found both by Google TAG and CrowdStrike to be exploited in the wild in the previous month. When security researcher Filip Dragovic released a proof of concept for this issue, we could reproduce it and start working on a patch. The Vulnerability In short, the Windows Error Reporting Service has a number of functions exposed via its RPC interface, so a local process can ask it to submit a chosen error report via function SubmitReport. This function impersonates the calling process' user and at some point launches wermgr.exe, one of the WER executables. Normally, wermgr.exe would be launched from C:\Windows\System32\, but since the service is impersonating the caller (i.e., the attacker), the CreateProcess function honors any symbolic links the caller may have in place. The attacker can, for instance, create a symbolic link mapping C:\ to an arbitrary location such as C:\Users\public\test , which will be used by the CreateProcess call.

Micropatches Released For Windows Search Remote Code Execution (CVE-2023-36884)

Tue, 05 Sep 2023 22:00:00 GMT

Alongside July 2023 Windows Updates, Microsoft revealed the existence of a 0day that was detected in the wild and assigned it CVE-2023-36884. Without issuing a patch, they titled their original advisory "Office and Windows HTML RCE vulnerability" as exploitation was performed using malicious Word documents, and provided workarounds that could block exploitation. Very little information was publicly available and exploit samples that were referenced by those who claimed to be in the know seemed convoluted, comprising numerous exploits of old known vulnerabilities. The main source of useful information was security researcher Will Dormann who invested a great deal of effort in publicly dissecting many of these samples and reviewing numerous sources to meticulously separate the wheat from the chaff (see his super long Twitter thread). In absence of sufficient information on the vulnerability itself, we initially decided to issue a patch that implemented one of the most effective workarounds recommended by Microsoft - the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION mitigation for all Office executables.

Three More Years of Critical Security Patches for Windows Server 2012 and Windows Server 2012 R2

Tue, 08 Aug 2023 20:43:00 GMT

Can't upgrade your Windows Server 2012 to a newer windows server? No problem. As an on-premises Windows Server 2012 user, you probably know that Microsoft plans to end its support this October. This means no more Windows updates, including security fixes, and the chilling prospect of your servers becoming progressively vulnerable as new security issues are inevitably going to be discovered. If you're lucky enough to be an "eligible customer with Software Assurance under an Enterprise Agreement", you will be able to purchase up to 3 years of Extended Security Updates (ESU) from Microsoft for an annual cost equal to "100% of full license price annually". Those of you who aren't eligible or have other reasons not to purchase ESU, but want to keep using your servers securely - we have good news for you! Remember Windows Server 2008 R2 going out of support more than three years ago? Well, we security-adopted it and have thousands of customers still running this server securely with our security patches today.

Micropatches Released For Denial of Service in Microsoft Message Queuing (CVE-2023-28302, CVE-2023-21769)

Fri, 14 Jul 2023 14:28:00 GMT

April 2023 Windows Updates brought fixes for a number of vulnerabilities in Microsoft Message Queuing Service. We first issued patches for the "Queuejumper" remote code execution vulnerability (CVE-2023-21554) as its POC became available. Subsequently, we got access to POCs for two additional issues in Microsoft Message Queuing Service: CVE-2023-21769 and CVE-2023-28302, both being remote denial-of-service issues. While still-supported Windows systems have already received the official vendor fix for these vulnerabilities, there are Windows systems out there that aren't receiving security fixes from Microsoft anymore. In order to protect these systems, we have created our own micropatches for these vulnerabilities, which are available through the 0patch service. Our patches for these issues are similar to Microsoft's. Because the new patch for CVE-2023-28302 is in the same place as our previous patch for CVE-2023-21554, we had to revoke the latter and issue a combined patch for CVE-2023-21554 and CVE-2023-28302.

Micropatches Released For DHCP Server Service Remote Code Execution (CVE-2023-28231)

Fri, 30 Jun 2023 15:17:00 GMT

April 2023 Windows Updates brought a fix for CVE-2023-28231, a remote code execution vulnerability in DHCP Server service. The vulnerability was reported to Microsoft by security researcher YanZiShuang. Subsequently, Numen Cyber published a POC and DarkRelay Security Labs published their analysis, both of which allowed us to reproduce the issue and create a micropatch for Windows computers that haven't received an official fix from Microsoft. The vulnerability only affects Windows servers with DHCP Server installed, and resides in the way DHCP Server processes relay-forwarded messages, whereby a message claiming to have been forwarded by more than 32 intermediate DHCP servers breaks the code's assumptions and causes memory corruption. While still-supported Windows servers have already received an official vendor fix for this vulnerability, Windows Server 2008 R2 isn't receiving security fixes from Microsoft anymore. In order to protect these systems, we have created our own micropatch for this vulnerability, which is available through the 0patch service.

Micropatches Released For Windows Task Scheduler Elevation of Privilege (CVE-2023-21541)

Fri, 30 Jun 2023 12:17:00 GMT

January 2023 Windows Updates brought a fix for CVE-2023-21541, a local privilege elevation in Task Scheduler. The vulnerability was reported to Microsoft by Ben Lincoln of Bishop Fox. In April, Ben published a detailed analysis of this issue, which allowed us to reproduce the issue and create a micropatch for Windows computers that haven't received an official fix from Microsoft. The vulnerability is easy to understand: if a scheduled task contains an environment variable in its executable path, expansion of this variable may result in double quotes around the path being lost, which could then lead to the "unquoted path" vulnerability. On the other hand, the issue is not so easy to exploit, assuming that the local attacker does not have administrative privileges (why would they need a local privilege elevation vulnerability if they did?). The first condition is that a scheduled task must already exist on the system whose path to the executable contains an environment variable, and the second condition is that the attacker is able to create a malicious executable called program.

New 0patch Central, New Security Features

Wed, 21 Jun 2023 13:56:00 GMT

Dear 0patch friends, We're happy to share with you that four new highly asked-for features have been added to 0patch Central: Multi-factor Authentication You can now protect your 0patch account with multi-factor authentication (MFA). Use any authenticator app to configure MFA in your user profile and store recovery codes in a safe place in case you lose access to the app. This feature is available in Free, Pro, and Enterprise accounts. Authentication Options Select which authentication methods can be used for logging in to 0patch Central; choose between "Email and Password" and "Single sign-on", and specify whether multi-factor authentication ("MFA") is required for all users in the account. Find this feature under Account -> Security in Enterprise accounts. Password Policy Set the password policy for users in your account; users will be forced to change their password upon next login if needed. Find this feature under Account -> Security in Enterprise accounts.

0patch Security-Adopts Windows 10 v20H2 to Keep it Running Securely

Tue, 13 Jun 2023 21:36:00 GMT

Last month brought the last security updates for Windows 10 version 20H2. What if your organization is still using it and doesn't want to - or can't - upgrade it yet? Don't worry, we have previously security-adopted Windows 10 v1803 and v1809, Windows 10 v2004 and v1909, and Windows 10 v21H1. Now we're security-adopting version 20H2. If you're running Windows 10 v20H2 in your organization, all you need to do is install 0patch Agent on these computers and register it to an account with PRO or Enterprise subscription, and you'll start receiving critical security patches as soon as we issue them. These micropatches will be included in 0patch PRO and Enterprise licenses along with all other micropatches we're issuing - which means that users protecting their Windows 10 v20H2 with 0patch will also receive our micropatches for "0day" vulnerabilities in various products. In order to have our micropatches applied, Windows 10 v20H2 will have to have May 2023 Windows Updates (the last official updates for this version) installed.

Micropatches Released For Remote Code Execution in Windows OLE (CVE-2023-29325)

Mon, 05 Jun 2023 12:43:00 GMT

May 2023 Windows Updates brought a fix for CVE-2023-29325, a remote code execution vulnerability in Microsoft OLE (Object Linking and Embedding). The vulnerability was reported to Microsoft by Will Dormann with Vul Labs. Will found that two of the many COM objects installed on every Windows system by default merely have to be referenced by their respective CLSIDs in a rich text email for Outlook to experience an access violation exception. There is almost no public information on what these two COM objects were intended to do on a Windows system, but since Microsoft's fix was to block them, they probably aren't essential to any important operation. While Microsoft appears to have blocked these offensive/vulnerable COM objects via COM activation filter, they provided no remedy for unsupported Windows versions such as Windows 7 or older Windows 10. Furthermore, still-supported Office versions were also patched to prevent usage of these two COM objects, but older versions like 2010 or 2013 weren't.

Micropatches Released For "QueueJumper" Remote Code Execution in Microsoft Message Queuing (CVE-2023-21554)

Tue, 30 May 2023 14:03:00 GMT

April 2023 Windows Updates brought a fix for CVE-2023-21554, a remote code execution vulnerability in Microsoft Message Queuing Service. The vulnerability, nicknamed "QueueJumper" was reported to Microsoft by Wayne Low of Fortinet's FortiGuard Lab and Haifei Li with Check Point Research. The first proof-of-concept became available on April 30, when Omair from Krash Consulting published it on GitHub. Another proof-of-concept by zoemurmure became available on May 18. Both of these made it possible for us to create a micropatch for this issue. The vulnerability allows a remote unauthenticated attacker to cause memory corruption on a Windows computer running Microsoft Message Queuing Service, which can often be extended to executing arbitrary code on the computer. A detailed technical analysis (in Chinese) was provided by zoemurmure, While still-supported Windows systems have already received the official vendor fix for this vulnerability, there are Windows systems out there that aren't receiving security fixes from Microsoft anymore.

Micropatch for Microsoft Outlook Notification File NTLM Hash Theft (CVE-2023-23397, CVE-2023-29324, CVE-2023-35384, CVE-2024-20652)

Wed, 22 Mar 2023 16:14:00 GMT

March 2023 Windows Updates fixed CVE-2023-23397, a vulnerability in Microsoft Outlook that was found to be exploited in the wild since at least January this year. Microsoft revealed very little information but security researcher Dominic Chell of MDSec was quick to figure out what it was about and had a working exploit within hours of Microsoft's update release. Dominic's analysis was released soon thereafter, and POCs started cropping up all over the place. The vulnerability allows an attacker to send the victim an email such that even without the victim reading this email, Outlook will try to play a notification sound from a file specified in attacker's email (weird, huh?). While the more playful among us would immediately think of rickrolling our friends, serious attackers could use this "feature" to extract victim's NTLM hash from their computer. Specifying a sound file on a network location such as \\attacker.com\hash_collector.mp3 would make user's Outlook send a network request to attacker's server, which would then request authentication, and user's computer would respond with user's NTLM hash.

Micropatches for Microsoft Word Remote Code Execution (CVE-2023-21716)

Thu, 09 Mar 2023 14:10:00 GMT

February 2023 Windows Updates brought a fix for CVE-2023-21716, a remote code execution vulnerability in Microsoft Word. The vulnerability was discovered and reported by security researcher Joshua J. Drake (Twitter, Mastodon), and subsequently published with a simple proof-of-concept. The flaw is in Word's processing of an RTF file with an excessive number of font records, whereby a numeric operation with sign extension results in the code writing to an address outside the intended memory block. With sufficient heap grooming, arbitrary code execution could be possible upon user merely opening a malicious Word document, previewing it in Explorer's Preview Pane, or viewing a malicious email in Outlook. This vulnerability apparently goes back to Office 97. Microsoft's patch for this issue is not subtle at all: when a sufficiently large number of font records (specifically, more than 32760) is detected in an RTF document, Word just terminates itself.

Goodbye, Pesky Edge Notification, You're Not Needed Anymore!

Wed, 08 Mar 2023 13:34:00 GMT

We security-adopted Microsoft Edge version 109 in January to allow 0patch users staying on Windows 7 or Windows Server 2008 R2 to browse the web securely. These Windows versions stopped getting security fixes for Edge, and Edge won't update beyond version 109 on them. Any PRO or Enterprise 0patch subscription now delivers critical security patches both for the operating system and the Edge browser, which makes for a lot of happy 0patch users. There's one thing, though, that kept disturbing the peace: the pesky notification Edge was showing, reminding users that they should upgrade to Windows 10 or later, which they had clearly decided not to do. It makes sense for this warning to be displayed on a computer without 0patch, but with 0patch - nah, we needed to get it removed. Users asked, and we delivered. Our hot-patching technology allows us not only to fix security flaws but also to change functional behavior of Windows applications. Now that Edge has stabilized on version 109.

Micropatches For Windows CryptoAPI Spoofing (CVE-2022-34689)

Wed, 01 Mar 2023 21:22:00 GMT

August 2022 Windows Updates* brought a fix for CVE-2022-34689, a vulnerability in Windows CryptoAPI that allows an attacker to trick some Windows applications - depending on their use of CryptoAPI certificate caching - into accepting a fraudulent certificate. The vulnerability was reported to Microsoft by UK NCSC and the NSA, but subsequently Tomer Peled and Yoni Rozenshein of Akamai reverse engineered Microsoft's patch and provided a detailed analysis with a proof-of-concept. (* While Microsoft published this information in October, they had silently provided the patch two months earlier.) The vulnerability is actually a cryptographic flaw, whereby broken MD5 hashing algorithm is used for identifying cached certificates. This allows the attacker to trick a Windows application into misidentifying a fraudulent certificate for a valid, cached one, because they both have the same MD5 hash. It is hard to say which applications are vulnerable; any Windows application using CryptoAPI with certificate caching is a potential candidate, but exploitability may depend on how the application is being used.

Micropatches for Windows COM+ Event System Service Elevation of Privilege Vulnerability (CVE-2022-41033)

Wed, 01 Mar 2023 16:22:00 GMT

October 2022 Windows Updates brought a fix for CVE-2022-41033, a local privilege escalation vulnerability in Windows COM+ Event System Service. The vulnerability was reported to Microsoft by an anonymous source, but subsequently James Forshaw of Google Project Zero published their analysis, which included proof of concept code. This "type confusion" vulnerability allows a local low-privileged attacker to provide a memory address of their choosing to vulnerable code. The POC demonstrates reading from such address (and crashes the Event System Service process as a result) but this issue was reported as exploited in the wild, so attackers must have successfully turned it into a privilege escalation. While still-supported Windows systems have already received the official vendor fix for this vulnerability (assuming admins have applied the October 2022 or later Windows Update), there are Windows systems out there that aren't receiving security fixes from Microsoft anymore.

0patch Agent 22.11.11.10550 Released

Wed, 15 Feb 2023 13:37:00 GMT

Today we released a new version of 0patch Agent that fixes some issues reported by users or detected internally by our team. We always recommend keeping 0patch Agent updated to the latest version, as we only support the last couple of versions; not updating for a long time could lead to new patches no longer being downloaded and agent not being able to sync to the server properly. Enterprise users can update their agents centrally via 0patch Central; if their policies mandate automatic updating for individual groups, agents in such groups will get updated automatically. Non-enterprise users will have to update 0patch Agents manually by logging in to computers with 0patch Agent and pressing "GET LATEST VERSION" in 0patch Console. We recommend automatically updating 0patch Agent: to enable automatic updates, see this article. The latest 0patch Agent is always downloadable from https://dist.0patch.com/download/latestagent. Release notes are available here.

Micropatching the "LocalPotato" NTLM Elevation of Privilege (CVE-2023-21746)

Thu, 09 Feb 2023 17:38:00 GMT

January 2023 Windows Updates brought a fix for CVE-2023-21746, a local privilege escalation vulnerability in Windows, called "LocalPotato" by its discoverers Andrea Pierini and Antonio Cocomazzi. Its name is in reference to many other "potato" vulnerabilities that have been discovered in Windows since 2014 when James Forshaw of Google Project Zero published their analysis of Local WebDAV NTLM Reflection. The potato vulnerability at hand, "LocalPotato", was reported to Microsoft by Andrea and Antonio and will, now that the official fix has been available for a month, soon be published at https://www.localpotato.com/. While still-supported Windows systems have already received the official vendor fix for this vulnerability (assuming admins have applied the January 2023 Windows Update), there are many Windows systems out there that aren't receiving security fixes from Microsoft anymore. In order to protect these systems, we have created our own micropatches for this vulnerability, which are available through the 0patch service.

Micropatching Arbitrary File Delete Vulnerability in Windows Backup Service (CVE-2023-21752)

Tue, 31 Jan 2023 16:40:00 GMT

January 2023 Windows Updates brought a fix for a local privilege escalation vulnerability in Windows Backup Service, discovered and reported by Filip Dragovic. The vulnerability allows a non-admin user on the machine to execute arbitrary code as Local System and thereby take over the computer. The Backup Service The intended use of the Backup Service is through local user interface of the legacy "Backup and Restore (Windows 7)" component, still existing on all Windows 10 and Windows 11 computers. A privileged user launches Backup and Restore, selects the backup destination and what they want to backup, and starts or schedules a backup. The destination can either be a local drive or a network path, and in the latter case, network credentials have to be supplied as well. The Backup Service uses these credentials for accessing the network share. The Vulnerability The vulnerability lies in the way Windows Backup Service tries to determine whether the user whose credentials were supplied has write access on the chosen destination or not.

0patch Security-Adopts Microsoft Edge on Windows 7, Server 2008 and Server 2012

Thu, 05 Jan 2023 22:22:00 GMT

As we announced two more years of critical security patches for Windows 7 and Server 2008 R2, users started asking how they could keep browsing web sites securely given that all major browsers (Chrome, Firefox*, Edge, Brave, Vivaldi) would lose support on these Windows versions in January 2023. In addition, even on Windows Server 2012, Edge will stop getting official security updates from Microsoft in January, although the server itself is still supported until October this year - which came as quite a surprise to many organizations. ** (* Anonymous reader correctly noted that Mozilla has not yet made a formal statement on ending Firefox support on these Windows versions.) (** Sometime between January 17 and 19, Microsoft updated their documentation with "Microsoft Edge version 109 will receive critical security fixes and fixes for known exploit bugs until October 10, 2023 [on Windows Server 2012]") Microsoft Edge version 109, deployed in the week of January 12, will therefore remain the last Edge version on all these Windows systems, and it will not get any security patches anymore.

0patch Security-Adopts Windows 10 v21H1 to Keep it Running Securely

Wed, 21 Dec 2022 13:35:00 GMT

This month brought the last security updates for Windows 10 version 21H1. What if your organization is still using it and doesn't want to - or can't - upgrade it yet? Don't worry, we have previously security-adopted Windows 10 v1803 and v1809, and subsequently Windows 10 v2004 and v1909. Now it wouldn't be fair if we didn't also security-adopt version 21H1. So we have. If you're running Windows 10 v21H1 in your organization, all you need to do is install 0patch Agent on these computers and register it to an account with PRO or Enterprise subscription, and you'll start receiving critical security patches as soon as we issue them. These micropatches will be included in 0patch PRO and Enterprise licenses along with all other micropatches we're issuing - which means that users protecting their Windows 10 v21H1 with 0patch will also receive our micropatches for "0day" vulnerabilities in various products. In order to have our micropatches applied, Windows 10 v21H1 will have to have December 2022 Windows Updates (the last official updates for this version) installed.

Micropatches for Type Confusion in Internet Explorer's JScript9 Engine (0day, now CVE-2022-41128)

Mon, 19 Dec 2022 17:45:00 GMT

With November 2022 Windows Updates, Microsoft fixed a vulnerability in Internet Explorer's JScript9 engine that was found being exploited by North Korean government-backed actors known as APT37. The vulnerability is of a "type confusion" sort, which means that malicious JavaScript code can confuse the JavaScript engine into thinking that a certain object is of one type (in our case, Int32Array) while it's actually of another type (in our case, Object) - and that quickly leads to reading or writing memory addresses that were not supposed to be available to said code. From that point on, arbitrary code execution can be achieved. Benoît Sevens and Clément Lecigne of Google's Threat Analysis Group (TAG) have written a very good analysis of this vulnerability including a minimized proof of concept. This made it possible for us to create a patch for affected "security-adopted" Windows systems that no longer receive official fixes from Microsoft.

Micropatches for Remote Code Execution in Windows Enterprise App Management Service (CVE-2022-35841)

Thu, 01 Dec 2022 17:21:00 GMT

September 2022 Windows Updates brought a fix for a remotely exploitable vulnerability in the Enterprise App Management Service, discovered by security researcher Ceri Coburn of Pen Test Partners. On October 13, they published a blog post describing the vulnerability in detail, and a proof-of-concept. The Enterprise App Management Service allows Windows admins to centrally perform various installation and application provisioning-related actions on multiple Windows computers in the network. Due to lax permissions, a non-admin attacker could perform the same actions, potentially leading to a malicious application being installed and launched on the target computer. Microsoft's patch added code for checking whether the requestor has administrative privileges on the computer, and our patches do logically the same. Microsoft assigned this vulnerability CVE-2022-35841. Our micropatches were written for the following Versions of Windows with all available Windows Updates installed: Windows 10 v2004 Windows 10 v1909 Windows 10 v1809 Windows 10 v1803 Micropatches have already been distributed to all affected online computers running 0patch Agent with PRO or Enterprise license.

Free Micropatches For Bypassing MotW Security Warning with Invalid Signature (0day, now CVE-2022-44698 and CVE-2023-24880)

Fri, 28 Oct 2022 19:52:00 GMT

Update 12/13/2022: Microsoft patched this issue with December 2022 Windows Updates and assigned it CVE-2022-44698. Our patches for this issue were freely available 46 days before the original vendor patch, and now require Pro or Enterprise license. Update 3/15/2023: The patch Microsoft created for CVE-2022-44698 in December turned out to be flawed and its bypass was found to be exploited in a Magniber ransomware campaign to trick users into launching a malicious MSI file without any security warnings. Microsoft assigned this bypass a separate CVE ID CVE-2023-24880 and patched it with March 2023 updates. Their patch is in the same function as our own patch from last October, and like our patch, makes sure the user is shown the typical Mark-of-the-Web warning for files with a malformed signature but while we decided to show users a typical Mark-of-the-Web security warning for files with a malformed signature, Microsoft decided to silently error out by doing exactly what we considered doing - but decided not to as it would confuse users (see below).

Micropatches for two Windows Print Spooler Elevation of Privilege issues (CVE-2022-30206, CVE-2022-21997)

Wed, 26 Oct 2022 19:28:00 GMT

On September 24, 2022 we were made aware of a POC for a Print Spooler elevation of privilege vulnerability discovered by security researcher luckyu with NSFOCUS TIANYUAN LAB. It turned out to be another symbolic link issue that Print Spooler has quite a history of. The POC sets up a new printer with a custom spool directory as a non-admin user. This directory is a symbolic link to another directory, which contains a .SHD file that is itself again a symbolic link to some existing file which a non-admin user lacks permissions to delete. Then, by using file locking and performing some operations on the printer, the Print Spooler process (running as Local System) is made to delete said .SHD file, which in fact deletes the file it points to. A non-admin can therefore delete any local file that Local System is able to delete. This can, surprisingly, lead to arbitrary code execution using a trick earlier discovered by another researcher Abdelhamid Naceri and described in this ZDI article.

Micropatches for Kerberos Elevation of Privilege (CVE-2022-33647, CVE-2022-33679)

Tue, 25 Oct 2022 22:02:00 GMT

Update 11/16/2023: Our patch for this vulnerability was general enough to also fix subsequently discovered similar vulnerability in Kerberos, CVE_2023-28224. September 2022 Windows Updates brought a fix for an elevation of privilege vulnerability in Kerberos protocol, discovered by James Forshaw of Google Project Zero. James published a detailed analysis, and a POC was subsequently added to their Rubeus tool. Microsoft assigned James' finding two separate CVE IDs, CVE-2022-33647 and CVE-2022-33679, but these really both have the same root cause, namely the fact that Kerberos supported two weak encryption types: RC4-MD4 (type -128) and RC4-HMAC-OLD (type -133). James demonstrated that downgrading encryption to RC4-MD4 can allow an attacker to extract the Ticket Granting Ticket (TGT) key and use it for requesting a new TGT for the targeted user, which can be used for launching any code on the domain controller as said user. Microsoft removed support for both weak encryption types from the Kerberos code.

Free Micropatches For Bypassing "Mark of the Web" on Unzipped Files ("ZippyReads" / CVE-2022-41049)

Mon, 17 Oct 2022 13:44:00 GMT

Update 11/8/2022: This issue, nicknamed "ZippyReads", got an official fix with November 2022 Windows Updates which assigned it CVE-2022-41049. Our micropatches for it are therefore no longer free and require a PRO or Enterprise license. Details have also been published. In May, security researcher Will Dormann found a vulnerability in Windows that allows an attacker to prevent Windows from setting the "Mark of the Web" flag on files extracted from a ZIP archive, even if the ZIP archive came from an untrusted source such as Internet, email, or a USB key. Mark of the Web (MOTW) is an important security mechanism in Windows: Windows will show a security warning before launching an executable file with MOTW; Smart App Control only works on files with MOTW (source); Microsoft Office blocks macros on documents with MOTW (source). Attackers therefore understandably prefer their malicious files not being marked with MOTW; this vulnerability allows them to create a ZIP archive such that extracted malicious files will not be marked.

Two More Years of Critical Security Patches for Windows 7 and Windows Server 2008 R2

Wed, 12 Oct 2022 11:50:00 GMT

Extended Security Updates about to be terminated? Don't worry, we have your back. Update 8/9/2023:0patch also security-adopts Windows Server 2012 and 2012 R2 as these server versions reach end of support. Read more about it. Is your organization still using Windows 7 or Windows Server 2008 R2? We understand: these are good stable Windows versions that just work, do not force you to perform unneeded upgrades that change your user interface, don't distract users with ads and news they never wanted to see, don't send tons of telemetry data to Microsoft and most of all, reliably support your work processes. Perhaps you've kept using these Windows versions without any security updates when free updates were terminated in January 2020 (narrator: "That's a bit risky."). Or you may have purchased Extended Security Updates (ESU) to keep receiving official security fixes from Microsoft (narrator: "That's a bit expensive."). Or, you may have been using 0patch to keep running Windows 7 and Server 2008 R2 securely by receiving our security micropatches for the most-likely-to-be-exploited critical vulnerabilities.

Micropatches for Windows IKE Extension Remote Code Execution (CVE-2022-34721)

Tue, 04 Oct 2022 22:00:00 GMT

September 2022 Windows Updates brought a fix for a remote code execution vulnerability in Windows IKE Extension discovered by Yuki Chen with Cyber KunLun. Soon after that, researchers from 78ResearchLab published an analysis and POC for this vulnerability. This made it possible for us to create a patch for affected "security-adopted" Windows systems that no longer receive official fixes from Microsoft. The vulnerability is in the code responsible for handling IKEv1 (Internet Key Exchange version 1) key exchange protocol, which is deprecated but still supported for legacy reasons. It is a memory corruption issue, with the POC causing the svchost.exe process hosting the IKEEXT service to crash by attempting to read data beyond an allocated buffer. The crash only occurs with page heap (a debugging accessory) enabled for the process, while in a typical production configuration, the vulnerability could potentially be used for arbitrary code execution (as confirmed by Microsoft's advisory).

Micropatches for Windows Kerberos Elevation of Privilege (CVE-2022-35756)

Fri, 30 Sep 2022 11:14:00 GMT

August 2022 Windows Updates brought a fix for a local privilege escalation in Windows Kerberos, discovered by Nick Landers (@monoxgas) of NetSPI. Nick and James Forshaw (@tiraniddo) presented this vulnerability at the BlackHat USA 2022 conference and subsequently published proof-of-concept scripts. This made it possible for us to create a patch for affected "security-adopted" Windows systems that no longer receive official fixes from Microsoft. The vulnerability allows an attacker to bypass an integrity check for a security buffer of a PAC structure sent inside attacker's AP-REQ request. The flawed integrity check improperly inspects the security buffer type by comparing it to constant SECBUFFER_TOKEN while ignoring that its value can also include two bit flags in the upper byte. Nick's and James' proof-of-concept adds one such flag to the value, bypassing the integrity check, and can therefore arbitrarily modify the PAC structure - for instance, to claim the requestor is not the actual low-privileged user but a local administrator.

Micropatch For Memory Corruption in Microsoft Outlook (CVE-2022-35742)

Wed, 14 Sep 2022 13:21:00 GMT

August 2022 Windows Updates brought a fix for a memory corruption vulnerability in Microsoft Outlook, discovered by security researcher insu of 78ResearchLab. The vulnerability exploits a flaw in Outlook's processing of multiple Content-Type headers in a multipart/signed email, whereby a malicious email can lead to free'ing an unallocated memory address and crashing Outlook as such email is downloaded (even before one can view it). Once such email is in user's Inbox, Outlook crashes whenever the user clicks on it or it gets displayed in the Preview pane. While Microsoft categorized this flaw as "denial of service", it seems possible it could be exploited for arbitrary code execution. 0patch has security-adopted Office 2010 in November 2020 when its support was officially terminated, but Microsoft kept providing security updates for it until April 2021. After that date, we analyzed every published vulnerability affecting still-supported versions of Office to see if Office 2010 was affected, and until now, have not confirmed any.

Micropatches for Windows IKE Extension Remote Code Execution (CVE-2022-21849)

Thu, 08 Sep 2022 13:05:00 GMT

January 2022 Windows Updates brought a fix for a remote code execution vulnerability in Windows IKE Extension discovered by Polar Bear. Ten days ago (as of this writing), researchers from 78ResearchLab published an analysis and a POC for this vulnerability. This made it possible for us to create a patch for affected "security-adopted" Windows systems that no longer receive official fixes from Microsoft. The vulnerability allows a remote attacker to cause memory (heap) corruption on the target computer by sending a malformed ISAKMP packet using the IKE protocol, whereby the VendorID payload is longer than the expected 10h characters. The vulnerable code namely prepares a 10-character buffer on the stack for storing this value, and in case a longer value is provided, the memcpy (memory copy) operation results in memory locations beyond the end of buffer being overwritten with attacker-chosen content. In the absence of a negative proof, such vulnerabilities are assumed to be exploitable for arbitrary code execution (although the POC at hand only results in crashing the process.

Micropatches for Local Privilege Escalation in LSASS (CVE-2022-30166)

Wed, 31 Aug 2022 15:51:00 GMT

Update 9/1/2022: Micropatches for Local Privilege Escalation in LSASS (CVE-2022-30166) that were issued yesterday were reported to cause authentication problems with SharePoint and Remote Desktop Gateway Service. After successfully reproducing the issue these patches have just just revoked, and will be automatically disabled on all systems within 60 minutes. No action is needed on 0patch users' and administrator' end while we're working on issuing corrected patches. Update 9/20/2022: After reproducing functional problems caused by our original micropatches we have now issued new ones. We'd like to thank all customers who promptly reported problems and helped us reproduce them. No action is needed on 0patch users' and administrator' end to have the new patches applied. June 2022 Windows Updates brought a fix for a local privilege escalation in Local Security Authority Subsystem Service (LSASS), discovered by James Forshaw of Google Project Zero.

Micropatches For "KrbRelay" Local Privilege Escalation Vulnerability (Wontfix/0day)

Wed, 10 Aug 2022 15:42:00 GMT

Update 10/21/2022: Microsoft silently fixed this issue with October 2022 Updates. No CVE ID was assigned. "KrbRelay" is a tool for forced authentication issue in Windows that can be used by a low-privileged domain user to take over a Windows computer, potentially becoming a local or domain admin within minutes. The tool, based on James Forshaw's research, was developed by security researcher cube0x0, and was later wrapped by Mor Davidovich into another tool called "KrbRelayUp" that further automated attack steps for escalating privileges. KrbRelay provides various options to launch different versions of attack; some of these options were already known under the name RemotePotato0, for which we already had patches before. What was new for us with KrbRelay was its capability to launch a local service (running in session 0) via RPC and exploit it for leaking Local System credentials through forced authentication. In order to be exploitable, a service must allow authentication over the network, and just two such services were identified on affected Windows versions: ActiveX Installer Service, identified by CLSID 90f18417-f0f1-484e-9d3c-59dceee5dbd8; and RemoteAppLifetimeManager.

Changes in 0patch Pricing For New Subscriptions Coming in August

Wed, 27 Jul 2022 09:21:00 GMT

[Update 8/1/2024: Today, 24 months after the pricing update described in this article, we are discontinuing our pre-2022 legacy prices for renewed subscriptions. All new subscriptions as well as renewals will from now on be on current prices only. This overrides information about existing subscriptions in this article.] Over the years, 0patch has evolved from a simple proof-of-concept into a production-grade security service protecting computers around the World. We've been adding features and improving reliability, we have developed tools and processes to speed up vulnerability analysis and patch development, and we still have many ideas and plans to implement. What was initially met with various skeptical remarks has now become a standard for protecting Windows computers in our customers' organizations who use 0patch both for keeping their legacy systems secure from old and new exploits, and for blocking 0day attacks while others are still waiting for original vendor fixes.

Micropatching the "DFSCoerce" Forced Authentication Issue (No CVE)

Fri, 01 Jul 2022 09:49:00 GMT

"DFSCoerce" is another forced authentication issue in Windows that can be used by a low-privileged domain user to take over a Windows server, potentially becoming a domain admin within minutes. The issue was discovered by security researcher Filip Dragovic, who also published a POC. Filip's tweet indicated this issue can be used even if you have disabled or filtered services that other currently known forced authentication issues such as PrinterBug/SpoolSample, PetitPotam, ShadowCoerce and RemotePotato0 are exploiting: "Spooler service disabled, RPC filters installed to prevent PetitPotam and File Server VSS Agent Service not installed but you still want to relay DC authentication to ADCS? Don't worry MS-DFSNM have your back ;)" A quick reminder: Microsoft does not fix forced authentication issues unless an attack can be mounted anonymously. Our customers unfortunately can't all disable relevant services or implement mitigations without breaking production, so it is on us to provide them with such patches.