0patch Blog

Wednesday, May 21, 2025

How MSPs Can Handle Windows 10 End of Support with 0patch

“Patching Windows 10 after end-of-support? Done.”

October 14, 2025, is a date that’s probably already circled in red on your Windows 10 clients’ calendars – or at least, it should be. It’s the day Microsoft stops releasing security updates for Windows 10. Yes, it’s the official End of Support (EoS) date, and we all know what that means: a scramble for upgrades, extended support costs.

As an MSP, this is both a headache and an opportunity. After all, your clients rely on you to keep their systems secure, compliant, and running smoothly. And if history is any guide, some of them will be clinging to their Windows 10 machines well into 2026 and beyond.

So, what’s your move? Why not 0patch? It’s your chance to offer a smarter, more cost-effective alternative to expensive upgrades and risky unpatched systems. Let’s talk about why.

Why Your Clients Don’t Want to Upgrade (and Why You Shouldn’t Force Them)

Let’s face it, some users just don’t want to give up their trusty Windows 10 machines, and for good reasons.

We get it. You’re probably already hearing this from your clients:

• “This machine is still perfectly fine. I’m not replacing it.”

• “I am not a fan of Windows 11. It’s too different.”

• “We just upgraded the software. It works. Why change it?”

• “Windows 11 feels more like spyware than software.”

• “Budget is tight. I can’t afford to replace half my hardware.”

• “My computer can’t run Windows 11”.

Sound familiar? This is where 0patch comes in. Instead of pushing clients to upgrade, you can keep their systems secure without the cost, disruption, and user frustration of a full OS migration.

If it ain’t broke... – It’s stable, familiar, and does the job, so why rock the boat?

Why MSPs Should Care About 0patch for Windows 10

1. Incredibly Simple Management

0patch was designed with MSPs in mind, offering a centralized, cloud-based management console that makes it easy to deploy, monitor, and manage patches across multiple clients. No more chasing down individual endpoints or dealing with complex configurations – it just works.

2. Extended Windows 10 Security Without Upgrading

Microsoft will officially stop providing security updates for Windows 10 in October 2025, which means systems still running it will be exposed to critical vulnerabilities. However, with 0patch, you can keep these systems secure by applying micro-patches to known vulnerabilities, even after Microsoft ends support. This means you can offer your clients a cost-effective, low-risk way to keep their operations running smoothly without forcing them into expensive, disturbing upgrades.

3. Rapid and Non-Disruptive Patching

Traditional patching can be time-consuming and disruptive for your clients, often requiring reboots and extensive testing. 0patch solves this with its micropatches, which are tiny, targeted code updates that apply in memory without restarting systems. This means less downtime, happier clients, and fewer headaches for your team.

4. Reduced Attack Surface and Compliance

With 0patch, your clients’ systems get only the security fixes they actually need, minimizing the attack surface, mitigating risks and reducing the time of unintentional disruptions. This also helps with regulatory compliance, especially in industries like healthcare, finance, and government where security is tightly regulated.

5. Cost Savings for Your Clients (and You)

Upgrading to a new operating system can be a massive expense, not just in terms of licensing but also in training, hardware upgrades, and migration costs. With 0patch, you can help your clients extend the life of their current infrastructure, reducing overall IT spending and freeing up budget for other critical projects.

0patch – Your Stress-Free, High-Margin Patching Solution

For MSPs, 0patch ticks all the right boxes:

• Zero Reboots, Zero Downtime – Apply security patches to running processes. No annoying reboots or maintenance windows.

• Instant Rollback – Reverse a patch in real-time if it causes issues – no reinstalling, no system restore needed.

• Lightweight Patches – Micro-patches that are just a few machine instructions – fast to deploy, low bandwidth.

• Multi-Tenant Friendly – Manage all your clients through 0patch Central.

• Compliance Support – Stay audit-ready even on unsupported systems (ISO 27001, GDPR, NIS2).

• No Vendor Lock-In – Use 0patch alongside your existing RMM and PSA tools – no need to rip and replace.

What’s In It for You as an MSP?

• New Revenue Stream – offer 0patch as a premium, ongoing security service.

• Reduced Overhead – fewer support tickets, no emergency patch frenzies.

• Client Retention – keep clients happy and secure without forcing upgrades.

• Differentiation – stand out by offering a modern, micropatching approach your competitors might miss.

What’s In It for Your Clients?

• Peace of Mind – security for systems they’re not ready (or able) to upgrade.

• Cost Savings – no need to buy new hardware or expensive extended support.

• Less Disruption – no downtime, no “surprise” patch day headaches.

• Flexibility – protect legacy systems without pressure to migrate.

• A better way to handle Windows 10 EoS.

What’s Next?

If you’re managing clients with Windows 10 systems, now is the perfect time to consider 0patch as a key part of your service portfolio. By offering this innovative micro-patching solution, you can strengthen your client relationships, differentiate your services, and build a more resilient, future-proof IT environment.

Instead of pushing for mass upgrades, give your clients a smarter choice: keep Windows 10 secure and compliant without the headaches.

Learn more about how 0patch can keep your clients’ systems secure beyond 2025, and join the growing number of MSPs who are making smarter, more agile security a cornerstone of their service offerings.

Contact us today at partners@0patch.com to learn how 0patch can benefit your clients and your business. Or better yet, try 0patch for yourself and see how it can transform your patching game.

Tuesday, March 25, 2025

Micropatches released for SCF File NTLM Hash Disclosure Vulnerability (0day) - and Free Micropatches for it

While patching a SCF File NTLM hash disclosure issue on our security-adopted Windows versions, our researchers discovered a related vulnerability on all Windows Workstation and Server versions from Windows 7 and Server 2008 R2 to the latest Windows 11 v24H2 and Server 2025. The vulnerability allows an attacker to obtain user's NTLM credentials by having the user view a malicious file in Windows Explorer - e.g., by opening a shared folder or USB disk with such file, or viewing the Downloads folder where such file was previously automatically downloaded from attacker's web page.

Impact and attack scenarios of this issue are identical to that of a previously discovered 0day in URL files (subsequently patched by Microsoft), although the flaw is different here and to our knowledge not discussed in public before.

[Update 04/09/2025] We were informed by George Hughey with MSRC Vulnerabilities & Mitigations that Microsoft recently brought a change to how SCF files are behaving. We have confirmed that on computers with January 2025 Windows Updates installed, Windows Explorer exhibits the behavior we're describing here only if the SCF file does not have the Mark of the Web. This means that attack scenarios on still-supported Windows versions like Windows 11 v24H2 do not include drive-by-downloaded SCF files, but do still include SCF files on network shared folders or USB drives. We'd like to thank George for sharing this information with us.

Note that while these types of vulnerabilities are not critical and their exploitability depends on several factors (e.g., the attacker either already being in the victim's network or having an external target like a public-facing Exchange server to relay the stolen credentials to), they have been found to be used in actual attacks ([1][2]).

We reported this issue to Microsoft, and - as usual - issued micropatches for it that will remain free until Microsoft has provided an official fix.

We are withholding details on this vulnerability until Microsoft's fix becomes available to minimize the risk of malicious exploitation.

This is the fourth 0day we have recently found and reported to Microsoft, after the Windows Theme file issue (subsequently patched by Microsoft as CVE-2025-21308), the Mark of the Web issue on Server 2012 (still a 0day without an official patch), and the URL File NTLM Hash Disclosure Vulnerability (subsequently patched by Microsoft as CVE-2025-21377).

In addition, the "EventLogCrasher" vulnerability, allowing an attacker to disable all Windows event logging on all domain computers (reported to Microsoft in January 2024 by security researcher Florian), is still waiting for an official patch so our patches for it are the only ones available.

There are also currently three NTLM-related publicly known "wont fix" vulnerabilities that Microsoft decided not to patch with 0patch patches available: PetitPotam, PrinterBug/SpoolSample and DFSCoerce. All of these are present on all latest fully updated Windows versions, and if your organization is using NTLM for any reason, it could be affected.

Currently, 40% of our users are using 0patch for protection against 0day and "wont fix" vulnerabilities, while others use 0patch for keeping their legacy Windows systems and Office versions secure with our security patches.

Micropatch Availability

Since this is a "0day" vulnerability with no official vendor fix available, we are providing our micropatches for free until such fix becomes available.

Micropatches were written for:

Legacy Windows versions:

Windows 11 v21H2 - fully updated
Windows 10 v21H2 - fully updated
Windows 10 v21H1 - fully updated
Windows 10 v20H2 - fully updated
Windows 10 v2004 - fully updated
Windows 10 v1909 - fully updated
Windows 10 v1809 - fully updated
Windows 10 v1803 - fully updated
Windows 7 - fully updated with no ESU, ESU 1, ESU 2 or ESU 3
Windows Server 2012 - fully updated with no ESU or ESU 1
Windows Server 2012 R2 - fully updated with no ESU or ESU 1
Windows Server 2008 R2 - fully updated with no ESU, ESU 1, ESU 2, ESU 3 or ESU 4

Windows versions still receiving Windows Updates:

Windows 11 v24H2 - fully updated
Windows 11 v23H2 - fully updated
Windows 11 v22H2 - fully updated
Windows 10 v22H2 - fully updated
Windows Server 2025 - fully updated
Windows Server 2022 - fully updated
Windows Server 2019 - fully updated
Windows Server 2016 - fully updated
Windows Server 2012 fully updated with ESU 2
Windows Server 2012 R2 fully updated with ESU 2

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

Did you know 0patch will security-adopt Windows 10 and Office 2016/2019 when they go out of support in October 2025, allowing you to keep using them for at least 5 more years? Read more about it here.

To learn more about 0patch, please visit our Help Center.

Friday, March 7, 2025

Micropatches Released for SCF File NTLM Hash Disclosure Vulnerability (No CVE)

While we're on the subject of NTLM hash leaking vulnerabilities [1][2], we found this widely known issue of the same type that was patched by Microsoft at various points in time but never seemed to have received CVE IDs.

The issue is in SCF files with the IconFile property being a network share path like \\<IP_address>\file leaking user's NTLM hash to the network location when the user simply views a folder with such SCF file.

This issue has been documented and mentioned many times in the past, but the oldest mention we could find was this article by Bosko Stankovic of DefenseCode written in May 2017. (The DefenseCode domain is no longer active, so the link is to an archived article on the Internet Archive.)

The vulnerability has long been patched on Windows 10 machines and Windows Servers 2019 and higher, while Windows 7, Windows 8, and Windows Server 2008-2016 only received a patch in August 2024.

Microsoft's Patch

Microsoft patched this issue by calling MapUrlToZone to determine the security zone of the icon file, then deciding based on that whether or not to attempt to load the icon.

Our Micropatch

Our patch is similar to Microsoft's.

Micropatch Availability

Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

Windows 7 - fully updated without ESU, or with ESU 1, ESU 2 or ESU 3
Windows Server 2012, Server 2012 R2 - fully updated without ESU
Windows Server 2008 R2 - fully updated without ESU, or with ESU 1, ESU 2 or ESU 3

Newer versions of Windows Server 2008 (ESU 4) and Windows Server 2012 (ESU 1) do not need our patch as they already have Microsoft's installed.

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).

We would like to thank Bosko Stankovic of DefenseCode for sharing their analysis, which made it possible for us to create a micropatch for this issue.

Did you know 0patch will security-adopt Windows 10 when it goes out of support in October 2025, allowing you to keep using it for at least 5 more years? Read more about it here.

To learn more about 0patch, please visit our Help Center.

Thursday, February 13, 2025

Analysis of a Flaw in Microsoft's Patch for "copy2pwn" (CVE-2024-38213)

This is a story of a temporarily flawed Microsoft patch.

CVE-2024-38213 is a vulnerability that causes files copied from WebDAV shared folders to Windows machine to not have the Mark of the Web (MotW) applied. This results in such files being overly trusted by Windows Explorer, Defender, SmartScreen and possibly other security products, and vulnerabilities like this are being exploited in the wild.

The vulnerability was discovered by security researcher Peter Girnus and Simon Zuckerbraun with the ZDI and reported to Microsoft, who provided a patch for it with July 2024 updates. Their advisory was, however, not released until August 2024, which was also when Peter published their detailed analysis. and nicknamed the vulnerability "copy2pwn".

We were naturally interested in the vulnerability as it was likely also affecting security-adopted legacy Windows systems for which Microsoft was no longer providing security patches.

Our review of Microsoft's patch, however, revealed something interesting:

It didn't work.

Analysis of the Flaw

CVE-2024-38213 manifests itself on a vulnerable Windows computer when we copy a file using Ctrl-C & Ctrl-V from a WebDAV share, or drag-and-dropping a file from such share. The latter results in a warning (Image 1), but both methods fail to flag the file with Mark of the Web (MotW).

Image 1: Security warning when drag-and-dropping a file from a network folder

For some reason, even a fully patched testing Windows computer was still behaving the same: no MotW on the copied file.

Analyzing Microsoft's patch, we found that the code for preventing exploitation of CVE-2024-38213 was there, but for some reason it didn't make a difference. Going further, we discovered that all Windows versions updated to August 2024, except Windows 11 and Server 2022, were still vulnerable.

Let's take a look at a relevant section of this code.

Image 2: _StampMotWonDestFileIfNeeded function

The _StampMotwOnDestFileIfNeeded function, added by the patch, has a very descriptive name when we consider CVE-2024-38213 and what it exploits. The function calls MapUrlToZone, based on which it should mark files with MotW when they come from the internet - but fails to do that. Halting execution with WinDbg we could see the execution flow went left (green arrow) after the first function code block (Image 2), which resulted in jumping to the exit block without setting the MotW.

This jump was caused by the compare instruction in the first block: cmp [rcx+89h], 0 so we wanted to know where the value at address rcx+89h came from. In situations like this, esReverse, a powerful reversing and binary analysis solution from eShard, saves the day. Its taint analysis functionality allowed us to take rcx+89h, track it through execution history, and quickly find all places where it was changed and by who. The taint path can traverse processes in case the data we're interested in gets sent from one process to another, tracing it all the way through the kernel.

Image 3: esReverse's Taint analysis window

We set up tainting from our current "transition" 447150053, to the very first transition as shown on Image 3. "Tag0" represents the data we're interested in tracing: 0xead25c9 is actually rcx+89h at the time of the execution entering function _StampMotwOnDestFileIfNeeded, and 1 is the number of bytes we care about at that location. Once we had the taint results, we analyzed all transitions and found that the last one was in the CTSTransfer constructor where rcx+89h location is initialized to 0. Then we needed to find the last change that affected location rcx+89h and caused the MotW logic in _StampMotwOnDestFileIfNeeded to be skipped.

Image 4: Instruction that sets the relevant variable to 0

The last executed instruction before _StampMotwOnDestFileIfNeeded compares the value at [rcx+89h] to 0 is: mov [rbx+89h], dil (Image 4) in the CTSTransfer constructor. We now only needed to find who sets the value of dil (the low 8 bytes of register rdi) and why.

Analyzing all transitions, we found the bug in function _InitializeZoneIdentifierInterfaces, called from the CTSTransfer constructor: when calling CoCreateInstance, the return value was compared to 0, and if equal, the function exited assuming CoCreateInstance had failed (Image 5).

Image 5: Return value of CoCreateInstance is compared to zero

But this is wrong: 0 is the value of S_OK, a.k.a. "Operation successful," while the code is treating it as an error.

We had our culprit! This bug in _InitializeZoneIdentifierInterfaces resulted in critical IInternetSecurityManager interface code being skipped, which left the interface uninitialized, resulting in _StampMotwOnDestFileIfNeeded determining that it could not use function MapUrlToZone - and deciding to bail out instead of setting a Mark of the Web on the copied file.

Fortunately, Microsoft must have also noticed this flaw and corrected it with the next Windows Update.

Image 6: comparison of fixed code (left) and flawed code (right)

Image 6 shows Microsoft's fix for this flaw. As is often the case, Microsoft's patch comes with a "patch switch" allowing for "enabling" the new code via a registry value. This makes sense in cases where the new code has a potential to cause functional problems so individual patches can be "turned off". We're not sure why this could be the case here (with the obvious programming error), but we appreciate the opportunity to show both pre-patch and post-patch code on the same image.

As you can see, the only difference between vulnerable pre-patch code and fixed post-patch code is in a single instruction: jz ("jump if zero") in pre-patch code results in erroring out when the call to CoCreateInstance succeeds (which is wrong), while js ("jump if signed", i.e., jump if negative) in post-patch code errors out when the call fails.

Our Micropatch

Our patch for legacy Windows systems - Windows 7, Server 2008 R2, and several Window 10 versions - was logically identical to Microsoft's (the corrected one, of course). This video shows it in action.

Vulnerabilities like this one get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, then install and register 0patch Agent from 0patch.com, and email sales@0patch.com for a trial. Everything else will happen automatically. No computer reboot will be needed.

To learn more about 0patch, visit our Help Center.

We'd like to thank Peter Girnus with the ZDI for sharing vulnerability details, which allowed us to reproduce it and create a micropatch. We also encourage all security researchers who want to see their vulnerabilities patched to share them with us or alert us about their publications.

Did you know 0patch will security-adopt Windows 10 as well as Office 2016 and Office 2019 when they all go out of support in October 2025, allowing you to keep using them for at least 5 more years? Read more about it here.

Analysis was performed and written by our reverse engineering and patching expert Ziga Sumenjak.

Tuesday, February 11, 2025

Micropatches Released for Microsoft Outlook Remote Code Execution Vulnerability (CVE-2025-21357)

January 2025 Windows updates brought a fix for CVE-2025-21357, a remote code execution vulnerability in Microsoft Outlook. This vulnerability allows an attacker with access to the Exchange server with user's credentials to execute arbitrary code on user's computer when the user connects to Exchange with Outlook.

The vulnerability was reported to Microsoft by security researchers Jeongmin Choi, JongGeon KIM, Kiyeon Jeong, JunHyuk Im, and SeungYun LEE with bObffice (BOB13th), and Michael Gorelik and Arnold Osipov with Morphisec.

Michael Gorelik with Morphisec privately shared details and POC with us,which allowed us to reproduce the issue and create our own patches for security-adopted Outlook versions that are no longer receiving updates from Microsoft.

Microsoft's Patch

Microsoft patched this issue by initializing a previously uninitialized variable in the affected data structure to 0, preventing a previously possible invalid pointer dereference.

Our Micropatch

Our patch is logically equivalent to Microsoft's.

Micropatch Availability

Micropatches were written for the following security-adopted versions of Microsoft Office with all available Windows Updates installed:

Microsoft Office 2010 - fully updated
Microsoft Office 2013 - fully updated

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).

We would like to thank Michael Gorelik with Morphisec for privately sharing details and POC with us, which made it possible for us to create a micropatch for this issue.

To learn more about 0patch, please visit our Help Center.

Friday, February 7, 2025

Micropatches Released for Active Directory Certificate Services Elevation of Privilege Vulnerability (CVE-2024-49019)

November 2024 Windows updates brought a fix for CVE-2024-49019, a privilege escalation vulnerability allowing, under specific conditions, a domain user to create a certificate for another domain user, e.g., domain administrator - and then use it for logging in as that user.

The vulnerability was reported to Microsoft by security researchers Lou Scicchitano, Scot Berner, and Justin Bollinger with TrustedSec.

Justin then published a detailed article on this vulnerability,which allowed us to reproduce the issue and create our own patches for security-adopted Windows versions that are no longer receiving updates from Microsoft.

Microsoft's Patch

Microsoft patched this by adding a new function call that disables the Extended Key Usage attribute.

Our Micropatch

Our patch performs the same operation with additional optimizations to logic and code flow.

Micropatch Availability

Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

Windows Server 2008 R2 - - fully updated without ESU, with ESU 1, ESU 2, ESU 3 or ESU 4
Windows Server 2012 - fully updated without ESU, with ESU 1
Windows Server 2012 R2 - fully updated without ESU, with ESU 1

Only Windows Servers are affected by this issue.

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).

We would like to thank researchers Lou Scicchitano, Scot Berner, and Justin Bollinger with TrustedSec for publishing their analysis, which made it possible for us to create a micropatch for this issue.

Did you know 0patch will security-adopt Windows 10 when it goes out of support in October 2025, allowing you to keep using it for at least 5 more years? Read more about it here.

To learn more about 0patch, please visit our Help Center.

Micropatches Released for Windows OLE Remote Code Execution (CVE-2025-21298)

January 2025 Windows updates brought a fix for CVE-2025-21298, a memory corruption issue in Windows OLE data processing that can be exploited by a malicious Word document or a malicious email read in Outlook to execute arbitrary code on user's computer. (Probably also in multiple other ways, but these would be the obvious attack scenarios.)

The vulnerability was reported to Microsoft by security researchers Jmini, Rotiple, D4m0n with Trend Micro Zero Day Initiative.

Subsequently, security researcher Miloš published their analysis and POC of this vulnerability,which allowed us to reproduce the issue and create our own patches for security-adopted Windows versions that are no longer receiving updates from Microsoft.

Microsoft's Patch

The root cause of this issue is in function UtOlePresStmToContentsStm free'ing a stream object, but then storing the just free'd pointer which subsequently gets used again.

Microsoft patched this issue by overwriting the free's stream pointer with NULL, preventing its subsequent use.

Our Micropatch

Our patch does the exact same thing as Microsoft's.

Micropatch Availability

Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

Windows 11 v21H2 - fully updated
Windows 10 v21H2 - fully updated
Windows 10 v21H1 - fully updated
Windows 10 v20H2 - fully updated
Windows 10 v2004 - fully updated
Windows 10 v1909 - fully updated
Windows 10 v1809 - fully updated
Windows 10 v1803 - fully updated
Windows 7 - fully updated without ESU, with ESU 1, ESU 2 or ESU 3
Windows Server 2008 R2 - - fully updated without ESU, with ESU 1, ESU 2, ESU 3 or ESU 4
Windows Server 2012 - fully updated without ESU, with ESU 1
Windows Server 2012 R2 - fully updated without ESU, with ESU 1

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).

We would like to thank researchers Jmini, Rotiple, and D4m0n for sharing their finding with Microsoft, and security researcher Miloš for publishing their analysis and POC, which made it possible for us to create a micropatch for this issue.

Did you know 0patch will security-adopt Windows 10 when it goes out of support in October 2025, allowing you to keep using it for at least 5 more years? Read more about it here.

To learn more about 0patch, please visit our Help Center.