Micropatch for Windows Zero Day

Wednesday, September 26, 2018 @ 11:09 AM gHale

A micropatch is ready to go via the 0patch platform for the Zero Day vulnerability in Microsoft’s JET Database Engine.

Micropatch distribution platform provider, ACROS Security, released the 21-byte patch for the vulnerable msrd3x40.dll binary.

RELATED STORIES
Microsoft Zero Day in JET Database
Patch Tuesday Clears Zero Day
Windows 10 Zero Day Discovered
Hackers Leverage Patched Vulnerability

The 0patch release came out the day after Trend Micro’s Zero Day Initiative published their Proof Of Concept exploit.

A micropatch was ready the day after the initial proof of concept published by ZDI, said Mitja Kolsek, ACROS Security chief executive, in a post.

Kolsek said the remotely exploitable vulnerability in all Windows versions (discovered by Lucas Leong) released because Microsoft missed ZDI’s 120-day fixing window. The 0patch team tested ZDI’s proof-of-concept and found the following:
1. Jet is only supported in 32-bit, which means that a 64-bit application tricked into accessing a malformed data source file will not be exploitable. Indeed, double-clicking ZDI’s poc.js on 64-bit Windows results in an error message; in order to launch poc.js on a 64bit machine one needs to use the 32-bit wscript.exe by launching c:\windows\SysWOW64\wscript.exe poc.js.
2. Obviously, getting a user to launch a .js file is not a convincing attack scenario (such file could already do anything within user’s privileges). The good news for attackers is that this attack can be mounted via Internet Explorer, especially since even on 64-bit Windows, Internet Explorer rendering processes are 32-bit. On the upside, we were unable to get the exploit working from a web site because – at least on IE11 – the security setting “Access data sources across domains” is disabled in Internet and Intranet zone, which resulted in a JavaScript error. Launching a malicious poc.html from a local drive (or USB disk) does work, however, whereby the accompanying data source file can be in a shared folder and doesn’t need to be delivered with poc.html. Nevertheless, the user then has to press the “Allow blocked content” button, which amounts to a considerable level of social engineering required to execute the attack via Internet Explorer. 
3. A more realistic attack could probably be conceived using a malicious Office document referencing an external malformed Jet data source. We haven’t investigated that, however, as our job is not to write exploits but micropatches. (Resourceful attackers will soon reveal their weaponization ideas anyway.)

Following a few small changes to match the affected Windows 10 binary, two micropatches (one for Windows 7 and one for Windows 10) released.

“One of our goals with 0patch is to make vulnerability patching so fast that attackers won’t even manage to develop a reliable exploit for a public vulnerability, much less launch a campaign with it, before the vulnerability is already patched on most users’ computers,” Kolsek said.

Binary micropatches issued through the 0patch platform are entirely free and can be applied to vulnerable systems without the need to restart the affected process or rebooting the machine they’re running on.

Micropatches distributed via the 0patch platform keep vulnerable systems safe until an official patch releases.

Once a binary is patched using a micropatch, all future exploits will be ineffective since the entire code that could be exploited is changed, and the vulnerability is removed.

Users can download and apply all available micropatches to vulnerable binaries on their machines after creating an account on 0patch.com, downloading the 0patch Agent on their computers and registering the agent to their device.

Micropatches developed by ACROS Security allow users vulnerable to Zero Days to patch their systems and secure them until Microsoft releases official patches for the issue.



Leave a Reply

You must be logged in to post a comment.