Tuesday, August 26, 2025

End Of Security For Microsoft Office 2016 and 2019? Not With 0patch!

Expensive Upgrade is Not Your Only Option: 0patch Will Secure Your Office Apps For Years To Come!

 


Much like for Windows 10, this October will also be the last month of Microsoft's official security fixes for Microsoft Office versions 2016 and 2019. The implied narrative goes: if you want to keep using Office securely, you have to throw out your 2016 and 2019 versions - which may work perfectly well for you -  and either purchase Office 2024 or subscribe to one of Microsoft 365 plans.

In contrast to Windows 10 end-of-support, however, there will be no Extended Security Updates for Office - so one can't just throw money at Microsoft to proceed without disruption.

On top of said disruption (installing and configuring new Office apps, adjusting to user interface changes, reworking integrations), there is also a question of confidentiality, or even national security, as both cloud and on-premises Office 365 versions send your every word to Microsoft's AI.

Now let's talk numbers. Anyone currently using Office 2016 or 2019 at home or at work and wanting to migrate to new, supported Office apps running on their PC (not in Microsoft's cloud) has two options:

  1. Buy Office 2024 as a one-time purchase: Organizations can purchase long-term support Office LTSC 2024, costing them about $500 for the Standard edition, and about $700 for the Professional Plus edition. Home users can buy the Home edition for $149.99, while small businesses can get Home & Business edition for $249.99.

  2. Subscribe to Microsoft 365: For organizations, the smallest plan that includes PC apps is Microsoft 365 Business Standard for $150/year (per user), while home users can get Microsoft 365 Personal for $99.99/year (for one user) or Microsoft 365 Family for $129.99/year (for 2-6 users)

 

All this is... kind of disruptive, intrusive and expensive.

Fortunately, there is an alternative that costs less, allows you to keep using your Office 2016 or 2019 apps, and protects you against the likely-to-be-exploited vulnerabilities just as well as official Office updates would (if they were to continue past October 2025, that is). 


0patch Security-Adopts Microsoft Office 2016 and 2019

With October 2025, 0patch will "security-adopt" Office 2016 and Office 2019, and will provide critical security patches for these Office versions for at least 3 more years - and even longer if there's demand on the market. While this alone is a powerful alternative to Microsoft's offerings, it is a "patching jackpot" for those using Office on Windows 10, which also goes out of free support this October. Namely, we're also security-adopting Windows 10 22H2, and patches for both will be included in a single 0patch license.  

We're the only commercial provider of unofficial security patches for Windows and Office ("virtual patches" are not really patches), and we have done this many times before: after security-adopting Windows 7 and Windows Server 2008 R2 in January 2020, we took care of 6 versions of Windows 10 as their official support ended, security-adopted Windows 11 v21H2 to keep users who got stuck there secure, and took care of Windows Server 2012 in October 2023.

But most importantly, we had already security-adopted two popular Office versions - 2010 and 2013 - when they got abandoned by Microsoft, and we are still providing security patches for customers using them.

With 0patch, you will be receiving security "micropatches" for critical, likely-to-be-exploited vulnerabilities affecting Office 2016 or Office 2019 that get discovered after October 14, 2025. These patches will be really small, typically just a couple of CPU instructions (hence the name), and will get applied to running processes in memory without modifying a single byte of original Microsoft's binary files. (See how 0patch works.)

There will be no rebooting the computer or even restarting Office applications after a patch is downloaded, because applying the patch in memory is done by briefly stopping the application, patching it, and then letting it continue. Users won't even notice that their Word or Outlook was patched while they were writing a document or replying to an email.

Just as easily and quickly, our micropatches can be un-applied if they're suspected of causing problems. Again, no rebooting or application re-launching.

Enterprise security admins know what a nightmare it is to firewall network traffic on computers with Microsoft Office if you want to allow Office Updater to work: there is an undocumented and ever-changing set of IP addresses that need to be allowed, and the updater executable is in a different folder for every update. 0patch puts an end to this nightmare: we only need a single IP address and port open. Another plus for security.


And You Won't Only Get Our Office Patches...

Office 2016 and Office 2019 patches will be added to our PRO and Enterprise plans, which means they will be bundled with all other patches we have, including:  

  1. "Legacy" patches - all patches for security-adopted products. For instance, if you're using Office 2016 or 2019 on a Windows 10 22H2 computer that will also stop receiving free Windows Updates this October, a single 0patch license will cover both Windows and Office for you. Alternatively, if you're already using 0patch PRO or Enterprise on a computer, our patches for Office 2016 and 2019 will automatically be delivered there without you having to do - or pay - anything.
     
  2. "0day" patches - patches for vulnerabilities that have become known, and are possibly already exploited, but for which no official vendor patches are available yet. We've fixed many such 0days in the past, for example "Follina" (13 days before Microsoft), "DogWalk" (63 days before Microsoft), Microsoft Access Forced Authentication (66 days before Microsoft) and "EventLogCrasher" (100+ days before Microsoft). On average, our 0day patches become available 49 days before official vendor patches for the same vulnerability.

  3. "Wontfix" patches - patches for vulnerabilities that the vendor has decided not to fix for some reason. The majority of these patches currently fall into the "NTLM coerced authentication" category: NTLM protocol is more prone to abuse than Kerberos and Microsoft has decided that any security issues related to NTLM should be fixed by organizations abandoning their use of NTLM. Microsoft therefore doesn't patch these types of vulnerabilities, but many Windows networks can't just give up on NTLM for various reasons, and our "Wontfix" patches are there to prevent known attacks in this category. At this time, our "Wontfix" patches are available for the following known NTLM coerced authentication vulnerabilities: DFSCoerce, PrinterBug/SpoolSamplePetitPotam and WSPcoerce.

  4. Non-Microsoft patches - while most of our patches are for Microsoft's code, occasionally a vulnerability in a non-Microsoft product also needs to be patched when some vulnerable version is widely used, or the vendor doesn't produce a patch in a timely manner. Patched products include Java runtime, Adobe Reader, Foxit Reader, 7-Zip, WinRAR, Zoom for Windows, Dropbox app, and NitroPDF.

 

While you're probably reading this article because you're interested in keeping Office secure, you should know that our "0day", "Wontfix" and Non-Microsoft patches are also available for still-supported Windows versions such as Windows 11 and Windows Server 2022, and we keep updating them as needed. Currently, about 40% of our customers are using 0patch on supported Windows versions as an additional layer of defense or for preventing known NTLM attacks that Microsoft doesn't have patches for.

 

How about the cost? Our Office 2016 and Office 2019 patches will be included in two paid plans:

  1. 0patch PRO: suitable for small businesses and individuals, management on the computer only, single administrator account - currently priced at 24.95 EUR + tax per computer for a yearly subscription.
  2. 0patch Enterprise: suitable for medium and large organizations, includes central management, multiple users and roles, computer groups and group-based patching policies, single sign-on etc. - currently priced at 34.95 EUR + tax per computer for a yearly subscription.

Prices may get adjusted in the future but if/when that happens anyone having an active subscription on current prices will be able to keep these prices on existing subscriptions for two more years. (Another reason to subscribe sooner rather than later.)


How to Prepare for October 2025

 

Organizations

Organizations need time to assess, test, purchase and deploy a new technology so it's best to get started as soon as possible. We recommend the following approach:

  1. Read our Help Center articles to familiarize yourself with 0patch.
  2. Create a free 0patch account and start a free Enterprise trial at the top of the page.
  3. Install 0patch Agent on some testing computers with Office 2016 or 2019 installed, ideally with other typical software you're using, especially security software.
  4. Familiarize yourself with 0patch Central.
  5. See how 0patch works with your apps, report any issues to support@0patch.com.
  6. Deploy 0patch Agent on all machines with Microsoft Office 2016 or 2019.
  7. Purchase licenses.
  8. In October 2025, update Office with the latest available updates.
  9. Let 0patch take over Office patching.
  10. If any Office updates happen to be provided by Microsoft any time after October 2025, install them.

 

Home Users and Small Businesses

Home users and small businesses who want to keep using Office 2016 or 2019 but don't need enterprise features like central management, patching policies and users with different roles, should do the following:

  1. Read our Help Center articles to familiarize yourself with 0patch.
  2. Create a free 0patch account and start a free PRO trial at the top of the page..
  3. Install 0patch Agent on your computer(s).
  4. See how 0patch works with your apps, report any issues to support@0patch.com.
  5. Purchase licenses.
  6. In October 2025, update Office with the latest available updates.
  7. Let 0patch take over Office  patching.
  8. If any Office updates happen to be provided by Microsoft any time after October 2025, install them. 

 

Distributors, Resellers, Managed Service Providers

We have a large and growing network of partners providing 0patch to their customers. To join, send an email to sales@0patch.com and tell us whether you're a distributor, reseller or MSP, and we'll have you set up in no time.

We recommend you find out which of your customers may be affected by Office end-of-support, and let them know about 0patch so they have time to assess it.

More information:


Frequently Asked Questions

Q: How long do you plan to provide security patches for Office 2016 and 2019 after October 2025?

A: We initially plan to provide security patches for 3 years, but will extend that period if there is sufficient demand. (We're now in year 5 of Office 2010 support and will extend it further.)


Q: How much will it cost to use 0patch for protecting Office 2016 or 2019?

A: Our current yearly price for 0patch PRO is 24.95 EUR + tax per computer, and for 0patch Enterprise 34.95 EUR + tax per computer. Note, however, that these plans also include many non-Office patches (see above).

Active subscriptions will keep these prices for two more years in case of pricing changes.


Q: I am using Office 2016 or 2019 on a Windows 10 22H2 computer, and they both go out of support in October. What does this mean for me?

A: You're in luck: Both problems can be resolved with a single 0patch license. Just make sure you have Windows updated with October 2025 updates, Office updated to the latest available update, and 0patch set up on your computer.


Q: What is the difference between 0patch PRO and 0patch Enterprise?

A:  While both plans include all security patches, 0patch Enterprise also includes central management via 0patch Central, multiple users and roles, computer groups and group-based patching policies, single sign-on and various other enterprise functions.


Q: What is 0patch FREE?

A: 0patch FREE is a free 0patch plan that only includes "0day patches", i.e., patches for vulnerabilities that don't have an official vendor fix available (yet). 0patch FREE does not include security patches needed for keeping Microsoft Office secure after October 2025. Please see this article for more information on restrictions regarding 0patch FREE.

 

Q: Does 0patch also provide general technical support for Office 2016 and 2019?

A: No. We only provide security patches and support related to our service.


Q: Where can I learn more about 0patch?

A: Our Help Center has many answers for you.

Tuesday, August 12, 2025

Micropatches Released for Windows Update Service Elevation of Privilege Vulnerability (CVE-2025-48799)

 

 

July 2025 Windows Updates brought a patch for CVE-2025-48799, a local privilege elevation vulnerability allowing a local non-administrative attacker to obtain administrative privileges. The vulnerability was found and reported to Microsoft by Filip Dragović.

 

The Vulnerability 

The vulnerability allows a low privileged user on a computer with at least two hard drives to confuse the Windows Update service into deleting a chosen folder. Arbitrary file or folder deletion can be turned into arbitrary code execution as Local System, as was first shown by Jonas Lykkegård in 2020 using Windows Error Reporting Service, and subsequently also by Abdelhamid Naceri using Windows Installer.

Filip kindly released a POC that can be used to reproduce the issue.

 

Microsoft's Patch

Microsoft patched this issue by adding a check for symbolic links for the user-supplied path. 

 

Our Patch

Our patch is logically identical to Microsoft's

Let's see our patch in action:


 

 

Micropatch Availability

Micropatches were written for the following security-adopted Windows versions:

  1. Windows 11 v21H2 - fully updated
  2. Windows 10 v21H2 - fully updated
  3. Windows 10 v21H1 - fully updated
  4. Windows 10 v20H2 - fully updated
  5. Windows 10 v2004 - fully updated
  6. Windows 10 v1909 - fully updated
  7. Windows 10 v1809 - fully updated
  8. Windows 10 v1803 - fully updated


Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

We'd like to thank Filip Dragović. for sharing their finding and their POC, which allowed us to reproduce the issue and create patches for our users.

Did you know 0patch will security-adopt Windows 10 when it goes out of support in October 2025, allowing you to keep using it for at least 5 more years? Read more about it here.

To learn more about 0patch, please visit our Help Center.






Thursday, July 24, 2025

Micropatches Released for Windows Disk Cleanup Tool Elevation of Privilege Vulnerability (CVE-2025-21420)

 

 

February 2025 Windows Updates brought a patch for CVE-2025-21420, a local privilege elevation vulnerability allowing a local attacker to execute malicious code in another user's existing session using said user's identity. Microsoft's advisory does not reveal who reported this vulnerability to Microsoft (or whether they had discovered it internally).

 

The Vulnerability 

Security researcher moiz reverse engineered Microsoft's patch for cleanmgr.exe in February's Windows updates and found that Microsoft had added the ProcessRedirectionTrustPolicy mitigation (a.k.a. Redirection Guard) to the process, which causes the process to ignore symbolic links created by low-privileged users. Based on this information, moiz monitored the behavior of the Disk Cleanup tool when launched and found that it was vulnerable to symbolic link redirection. Placing a symbolic link from a certain file that a low-privileged user can create, to another file that can only be deleted by a high-privileged user, can result in deletion of the latter file when Disk Cleanup's scheduled task is launched. Moiz gracefully shared their analysis and POC.

Arbitrary file deletion can be turned into arbitrary code execution as Local System, as was first shown by Jonas Lykkegård in 2020 using Windows Error Reporting Service, and subsequently also by Abdelhamid Naceri using Windows Installer.

So the low-privileged user just prepares the right files, sets symbolic links, and starts the scheduled task? Hmm, strange, because Disk Cleanup scheduled task is set to run as "Users", not some privileged account like "Local System". One would expect it to be launched with attacker's own identity, which would not result in file deletion due to permissions on the target file. And the fact that the task is set to "Run with highest privileges" doesn't help either because that would only ensure that if a non-elevated admin were to launch it, it would run as elevated admin - but the attacker cannot be elevated.

So why does the attack work at all?

It turns out that - cue raised eyebrows - that launching the Disk Cleanup scheduled task as any logged-in user not only gets it launched in said user's session - but rather in all existing sessions on the computer, and just as if those other users had launched it themselves! This means that if an administrator is logged in to the computer, and then the attacker connects to it via remote desktop, the attacker will be able to launch Disk Cleanup scheduled task in administrator's session. In that session, vulnerable cleanmgr.exe would be executed, auto-elevated, and would follow attacker's symbolic links to eventually delete the system file attacker wanted to delete.

Needless to say, such attack is even easier to imagine on a Windows Server with terminal services where users are meant to login at the same time.

 

Microsoft's Patch

As moiz had noticed, Microsoft added the ProcessRedirectionTrustPolicy mitigation to cleanmgr.exe to prevent it from following low-privileged users' symbolic links. 

 

Our Patch

While we could do the same as Microsoft, Redirection Guard is not available on all affected security-adopted Windows versions, so we wrote a patch that checks the path of the to-be-deleted file and determines if it is a symbolic link. If it isn't, the patch allows the file to be deleted, otherwise it blocks the deletion. This approach is more rigorous that Microsoft's (with their patch, administrator's symlinks would be accepted) but we believe that there aren't any valid scenarios where administrator's links would be used in this context - and Microsoft just took the easy road by adding the mitigation to the process. (Which was the smart thing to do for them.)

Let's see our patch in action:


 

 

Micropatch Availability

Micropatches were written for the following security-adopted Windows versions:

  1. Windows 11 v21H2 - fully updated
  2. Windows 10 v21H2 - fully updated
  3. Windows 10 v21H1 - fully updated
  4. Windows 10 v20H2 - fully updated
  5. Windows 10 v2004 - fully updated
  6. Windows 10 v1909 - fully updated
  7. Windows 10 v1809 - fully updated
  8. Windows 10 v1803 - fully updated

Note that Windows 7, Server 2008 R2, Server 2012 and Server 2012 R2 are not affected by this issue.

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

We'd like to thank moiz for sharing their finding and their POC, which allowed us to reproduce the issue and create patches for our users.

Did you know 0patch will security-adopt Windows 10 when it goes out of support in October 2025, allowing you to keep using it for at least 5 more years? Read more about it here.

To learn more about 0patch, please visit our Help Center.





Thursday, July 10, 2025

Micropatches Released for "WSPCoerce" Coerced Authentication via Windows Search Protocol (NO CVE/WONTFIX)

 

 

Coerced authentication is any method that allows an attacker to force a target system to authenticate against attacker's computer and reveal its credentials in the process. The most useful form of coerced authentication on Windows is arguably one that forces a remote Windows computer to send its machine (system) account's NTLM credentials to attacker, which can then be relayed to another computer.

Microsoft does not consider "coerced authentication" methods vulnerabilities worth fixing and rather suggests several options for mitigating attacks, including disabling NTLM. For various, mostly legacy-related reasons, many large organizations can't implement these options.

That is why we at 0patch have decided to provide our own patches for known coerced authentication issues so that both legacy Windows systems like Windows 7 and Server 2008 R2 and the latest Windows 11 and Server 2025 that are using NTLM get to be properly protected. So far we have been providing (and dutifully porting to new versions of executable files) patches for these coerced authentication issues:

  1. PetitPotam
  2. PrinterBug/SpoolSample and
  3. DFSCoerce.

We are now adding a fourth coerced authentication issue to the list: "WSPCoerce". WSPCoerce was discovered by Simon Lemire who also published a WSPCoerce proof-of-concept tool. The tool sends a request to the Windows Search Service running by default on any Windows workstation (but not on servers), causing it to read a shared folder on attacker's computer - revealing machine account's NTLM credentials in the process.

Our patch adds a security check to the processing of affected search requests such that a remote machine can only request a search of a shared folder on the same remote machine (the target machine), and not on some other machine in the network. This preserves search and indexing functionality, but prevents coerced authentication.

 

Micropatch Availability

Micropatches were written for:

 Legacy Windows versions:

  1. Windows 11 v21H2 - fully updated
  2. Windows 10 v21H2 - fully updated
  3. Windows 10 v21H1 - fully updated
  4. Windows 10 v20H2 - fully updated
  5. Windows 10 v2004 - fully updated
  6. Windows 10 v1909 - fully updated
  7. Windows 10 v1809 - fully updated
  8. Windows 10 v1803 - fully updated
  9. Windows 7 - fully updated without ESU, with ESU 1, ESU 2 or ESU 3
  10. Windows Server 2012 - fully updated without ESU or with ESU 1
  11. Windows Server 2012 R2 - fully updated without ESU or with ESU 1
  12. Windows Server 2008 R2 - fully updated without ESU, with ESU 1, ESU 2, ESU 3 or ESU 4

 Windows versions still receiving Windows Updates:

  1. Windows 11 v24H2 - fully updated   
  2. Windows 11 v23H2 - fully updated
  3. Windows 11 v22H2 - fully updated
  4. Windows 10 v22H2 - fully updated
  5. Windows Server 2025 - fully updated
  6. Windows Server 2022 - fully updated
  7. Windows Server 2019 - fully updated 
  8. Windows Server 2016 - fully updated 
  9. Windows Server 2012 fully updated with ESU 2
  10. Windows Server 2012 R2 fully updated with ESU 2

 

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

We'd like to thank Simon Lemire for sharing their finding and their tool, which allowed us to reproduce the issue and create patches for our users.

Did you know 0patch will security-adopt Windows 10 when it goes out of support in October 2025, allowing you to keep using it for at least 5 more years? Read more about it here.

To learn more about 0patch, please visit our Help Center.




Monday, June 16, 2025

Micropatches Released for WEBDAV Remote Code Execution Vulnerability (CVE-2025-33053)



June 2025 Windows updates brought a fix for CVE-2025-33053, a remote code execution vulnerability that was found to be exploited in the wild. The vulnerability allows a malicious URL file pointing to a legitimate local Windows executable to "sideload" a DLL or EXE from attacker's server on the Internet when opened.

Note that while Microsoft titled this issue "WEBDAV Remote Code Execution", the vulnerability can be generally exploited using any SMB network share, including an internal network shared folder. However, since most firewalls and Internet Service Providers block SMB traffic, WebDAV makes for a much more powerful attack scenario as it allows the malicious DLL to be loaded from a server on the Internet right through the firewall.

 

The Vulnerability 

This vulnerability was detected by Alexandra Gofman and David Driker with Check Point Research, who wrote up a detailed analysis. Windows Internet shortcut files, also called URL files by their .url extension, are text-based files initially designed to be desktop shortcuts to Internet sites. As the documentation states, "When the user clicks the icon, the browser is launched and displays the site associated with the shortcut.

In reality, URL files also allow for direct launching of executable files from a specified path, and apparently also with a specified CWD (current working directory) - which can point to a network path under attacker's control. This becomes very important when the launched executable - e.g., a legitimate Windows executable from C:\Windows\System32 folder - tries to load some DLL or launch an EXE and looks for it in the CWD according to its effective search order strategy. In effect, this then becomes a "binary planting" attack with a twist.

The attack detected by Check Point used a malicious URL file specifying a path to a legitimate local Windows executable C:\Program Files\Internet Explorer\iediagcmd.exe, and WorkingDirectory pointing to attacker's Internet-based network share.

When launched, iediagcmd.exe in turn launches other executables like ipconfig.exe and route.exe without providing full path to them. According to the CreateProcess documentation, the executable to be launched is searched for in the following locations:

  1. The directory from which the application loaded.
  2. The current directory for the parent process.
  3. The 32-bit Windows system directory.
  4. The 16-bit Windows system directory.
  5. The Windows directory.
  6. The directories that are listed in the PATH environment variable.

Note that the parent executable (iediagcmd.exe) resides in the C:\Program Files\Internet Explorer folder, while ipconfig.exe and route.exe reside in the C:\Windows\System32 folder. Therefore, the latter are not found in "the directory from which the application loaded," so the process tries the current working directory next.

Which is on attacker's network share. 

While this attack could easily be mounted inside the victim computer's network, the attacker would have to already be inside this network. That is where WebDAV comes in: when the Web Client service is running on the computer, remote network shares are not only accessible via the SMB protocol, but also via HTTP-based WebDAV that goes right through the company's firewall. With WebDAV, the malicious ipconfig.exe or route.exe can be hosted on an Internet web server, and they will be automatically downloaded and executed by Windows when a user in a firewalled corporate network opens the malicious URL file that seemingly only launches a trusted local executable.

 

Microsoft's Patch

Microsoft patched this issue by changing the behavior of URL files such as to ignore the WorkingDirectory value when launching executables.

 

Our Micropatch

Our patch does the exact same thing as Microsoft's.


Micropatch Availability

Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

  1. Windows 11 21H2 - fully updated
  2. Windows 10 21H2 - fully updated
  3. Windows 10 21H1 - fully updated
  4. Windows 10 20H2 - fully updated
  5. Windows 10 2004 - fully updated
  6. Windows 10 1909 - fully updated
  7. Windows 10 1809 - fully updated
  8. Windows 10 v1803 - fully updated
  9. Windows 7 - fully updated without ESU, with ESU 1, ESU 2 or ESU 3
  10. Windows Server 2008 R2 - - fully updated without ESU, with ESU 1, ESU 2, ESU 3 or ESU 4
  11. Windows Server 2012 - fully updated without ESU, with ESU 1
  12. Windows Server 2012 R2 - fully updated without ESU, with ESU 1

 

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that). 

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

We would like to thank security researchers Alexandra Gofman and David Driker with Check Point Research for publishing their analysis, which made it possible for us to create a micropatch for this issue.

Did you know 0patch will security-adopt Windows 10 when it goes out of support in October 2025, allowing you to keep using it for at least 5 more years? Read more about it here.

To learn more about 0patch, please visit our Help Center.

Thursday, May 29, 2025

Micropatches Released for Preauth DoS on Windows Deployment Service (CVE-2025-29957)

 


May 2025 Windows updates brought a fix for CVE-2025-29957, a denial of service vulnerability allowing an attacker in the network to easily consume all available memory on a Windows Server with Windows Deployment Service installed. This could lead to said server being unable to provide both Windows deployment services and other services such as network file sharing, printing, or provide other server functionalities based on its configured server roles.

The vulnerability was reported to Microsoft by security researchers R4nger & Zhiniang Peng.

 

Microsoft's Patch

Microsoft patched this issue by properly freeing allocated memory on each remote session initiation.

 

Our Micropatch

Our patch does the exact same thing as Microsoft's.


Micropatch Availability

Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

  1. Windows Server 2012 - fully updated without ESU, with ESU 1
  2. Windows Server 2012 R2 - fully updated without ESU, with ESU 1

 

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that). 

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

We would like to thank security researcher Zhiniang Peng for publishing their analysis, which made it possible for us to create a micropatch for this issue.

Did you know 0patch will security-adopt Windows 10 and Office 2016/2016 when trey go out of support in October 2025, allowing you to keep using them for at least 5 more years? Read more about it here.

To learn more about 0patch, please visit our Help Center.

Monday, May 26, 2025

Micropatches Released for Microsoft Management Console Security Feature Bypass Vulnerability (CVE-2025-26633)

 


March 2025 Windows updates brought a fix for CVE-2025-26633, a security feature bypass vulnerability in Windows that allows a malicious script to bypass one of the security warnings displayed when opening a Microsoft Console (.msc) file that was loaded from the Internet.

The vulnerability was reported to Microsoft by security researcher Aliakbar Zahravi with Trend Micro.

Aliakbar also published a detailed analysis of this vulnerability, which allowed us to reproduce the issue and create our own patches for security-adopted Windows versions that are no longer receiving updates from Microsoft.

 

Microsoft's Patch

Microsoft patched this issue by preventing users from launching .msc files marked with Mark of the Web (MotW).

 

Our Micropatch

Our patch does the exact same thing as Microsoft's.


Micropatch Availability

Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

  1. Windows 11 21H2 - fully updated
  2. Windows 10 21H2 - fully updated
  3. Windows 10 21H1 - fully updated
  4. Windows 10 20H2 - fully updated
  5. Windows 10 2004 - fully updated
  6. Windows 10 1909 - fully updated
  7. Windows 10 1809 - fully updated
  8. Windows 10 v1803 - fully updated
  9. Windows 7 - fully updated without ESU, with ESU 1, ESU 2 or ESU 3
  10. Windows Server 2008 R2 - - fully updated without ESU, with ESU 1, ESU 2, ESU 3 or ESU 4
  11. Windows Server 2012 - fully updated without ESU, with ESU 1
  12. Windows Server 2012 R2 - fully updated without ESU, with ESU 1

 

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that). 

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

We would like to thank security researcher Aliakbar Zahravi with Trend Micro for publishing their analysis, which made it possible for us to create a micropatch for this issue.

Did you know 0patch will security-adopt Windows 10 when it goes out of support in October 2025, allowing you to keep using it for at least 5 more years? Read more about it here.

To learn more about 0patch, please visit our Help Center.