Friday, September 20, 2019

Micropatching Keeps Windows 7 and Windows Server 2008 R2 Secure After Their End-Of-Support

Becoming an Adoptive Parent For Abandoned Windows

by Mitja Kolsek, the 0patch Team





Hello people, it's nice to step out for a moment and see the daylight. Those of you following us have noticed our near radio silence in the past months. To stop you from worrying I'd like to just quickly update you all on what's going on inside our walls (spoiler: a lot) and what our plans are (spoiler: big).

As you know, Windows 7 and Windows Server 2008 R2 are reaching their end-of-support on January 14 next year, which is causing a lot of headaches for people and companies who are entirely happy with the way these OSs work, or have compatibility requirements preventing them from upgrading. If they want to keep receiving security fixes, their options are: (a) to upgrade to Windows 10 and a newer server version, or (b) to buy Extended Security Updates from Microsoft (conditions apply, and 3rd party patch management solutions cannot be used for delivery).

NetMarketShare shows that last month, 5 months before end-of-support, 30% of desktop OSs were running Windows 7. With the current upgrading trend, we can safely forecast that the number of Windows 7 machines on February 11, 2020 (the first Patch Tuesday to exclude them) will be approximately somewhere between huge and vast. There are few public stats on how Windows Server 2008 R2 is doing but judging from what our users are saying, it's not going to get extinct anytime soon.
 
You see where we're going with this. Back in January 2018, we at 0patch "security-adopted" Microsoft Office Equation Editor, a program integrated into Microsoft Word with which scientists, teachers and students had written millions of equations. They were all suddenly left without a way to edit their equations when Microsoft decided to delete Equation Editor from their computers.

What we did was create micropatches for all known Equation Editor vulnerabilities and made instructions for users to bring back Equation Editor on their computers so they could continue using it while keeping Office regularly updated with Microsoft's security patches.

But that was just a trial run for becoming an adoptive parent of a vendor-abandoned product. This time we're going bigger: we're going to security-adopt Windows 7 and Windows Server 2008 R2 for those of you who want to keep them patched after their official security updates have dried out.

What does this mean, exactly?

It means that after the last official security update has been issued for Windows 7 and Windows Server 2008 R2 in January 2020, we'll start doing the following:

  1. Each Patch Tuesday we'll review Microsoft's security advisories to determine which of the vulnerabilities they have fixed for supported Windows versions might apply to Windows 7 or Windows Server 2008 R2 and present a high-enough risk to warrant micropatching.
  2. For the identified high-risk vulnerabilities we'll inspect Windows Updates for supported Windows versions (e.g., Windows 10) to confirm whether the vulnerable code that was fixed in Windows 10 is actually present on Windows 7 or Windows Server 2008 R2. (For all intents and purposes, such vulnerabilities will be considered 0days for these OSs.)
  3. If the high-risk vulnerable code is found to be present on Windows 7 or Windows Server 2008 R2, we'll start a process of obtaining a proof-of-concept (POC) for triggering the vulnerability. Sometimes a POC is published by security researchers soon after the official vendor fix is out (and sometimes even before); other times we can get one from our partner network or threat intelligence sources; occasionally researchers share a POC with us privately; and sometimes we have to create a POC ourselves by analyzing the official patch and working our way out towards the input data that steers the execution to the vulnerability.
  4. Once we have a POC and know how the vulnerability was fixed by the people who know the vulnerable code best (i.e., Microsoft developers), we'll port their fix, functionally speaking, as a series of micropatches to the vulnerable code in Windows 7 and Windows Server 2008 R2, and test them against the POC. After additional side-effect testing we'll publish the micropatches and have them delivered to users' online machines within 60 minutes. (Which by the way means that many Windows 7 and Windows Server 2008 R2 will be patched sooner than those with still-supported Windows versions where organizations will continue to prudently test Windows updates for days or weeks before having them applied to all computers.)

We expected you might have questions at this point; please see our FAQ about Windows 7 and Windows Server 2008 R2 Post-End-of-Support Security Micropatches

Okay - but what are we so busy with now? A lot of things:
 
Firstly, in order for large organizations to be able to use 0patch efficiently, we're developing a central management service (think WSUS for 0patch, but nice and fast) which will allow admins to organize computers in groups and apply different policies to these groups. Admins will thus be able to set up "testing" groups where new micropatches will be applied immediately, and subsequently have them applied to the rest of their computers with a few clicks (and of course, without users ever noticing anything). Naturally they'll also be able to un-apply any micropatches just as easily and quickly should they choose to. There will be alerts, graphs, reports, and drill-downs, and the very next step will be an on-premises version of 0patch server which so many organizations are asking for.

Secondly, we're growing our team: things are buzzing in our 0patch bootcamp and a nice side effect of passing one's knowledge onto others is that one has to neatly organize and document it. Consequently, adding further new members to the team afterwards will be even smoother and quicker.

Lastly, we're enhancing our reversing, patch analysis, vulnerability analysis, micropatch development and micropatch porting processes with new tools and techniques. Suffice to say that we've never had as many disassemblers, debuggers, decompilers, plugins and concurrently opened reversing projects running as we have now. But the thing I'm personally most excited about is our introduction of symbolic execution in micropatch creation, verification and porting processes. We've been aiming for eventual formal verification of our micropatches since the beginning and we're finally working on that. But not only that: symbolic execution and emulation will help us avoid errors sooner during micropatch development and allow us to perform unit testing against micropatched code even before we have a POC. Goosebumps!

This concludes our news from the 0patch lab. If you're interested in getting early access to 0patch central management (in November), or have any questions about our service, please consult Frequently Asked Questions or send an email to sales@0patch.com.


Cheers!

@mkolsek
@0patch

24 comments:

  1. Interesting. It always puzzled me that MS are going to continue creating patches for XP, 7 and others, but denying them to people like me, who are not large business owners or otherwise wealthy, and yet MS have convinced just about everyone that there will be NO patches for those OS when that is clearly a lie.

    The patching effort is still going to happen, so MS are turning down revenue from us by being stupid.

    So any third party that steps into the void created by MS gets my interest. It remains so be seen what the cost of third party rescue will be. I don't have the income to afford replacement hardware and software, which is why I'm still running XP and 7 (and exploring flavors of Linux), so there's a cost-benefit analysis to perform, obviously.

    But you definitely have my attention!

    ReplyDelete
    Replies
    1. This comment has been removed by a blog administrator.

      Delete
  2. Nice comment. However its is clear why Microsoft isn't gonna create further patches for the older systems: how could they live and make profit anymore if not by creating new systems "forever"!

    ReplyDelete
    Replies
    1. thats is not true, MS could make a profit of windows 7 updates, if they charged a decent price, like 19.99 something reasonable, per year, i would buy them to maintain the OS

      Delete
  3. Or just let it die and let companies upgrade.

    ReplyDelete
  4. Great, I have Windows 7 running on my 9 year old laptop at my parent's house, which couldn't run Windows 10 properly. Glad that this OS is still supported.

    ReplyDelete
  5. This is awesome and I am completely fine with paying you guys for your hard work. By any chance will you guys have access to Microsoft's ESU's for Windows 7 past the 2020 deadline so you can get a baseline from that? Or do you have to completely do it all in-house?

    ReplyDelete
  6. I'm interested. How much would it cost me though? I absolutely love Windows 7 and I have no intention to stop using this computer any time soon.

    ReplyDelete
    Replies
    1. Hi Rafael, please see https://0patch.com/pricing.html for pricing.

      Delete
  7. I'm quite grateful that somebody's finally able to bring the sense of sanity back into the OS software world! OS software is not like the cars off of Detroit's assembly lines, needing ever newer and more fandangled models every year so that everyone can "keep up with the Joneses" next door. It's more like the foundation of a house, that's hopefully been designed to last for a human generation or more, and not for mere months or perhaps a few of years.

    Finally there's somebody to break the insane MS monopoly on all of our business computer's operating systems. You were obviously quite right to resurrect the software MS tore down regarding their old equation editors, and now you're quite right to keep the highly polished Windows 7 and 2008 Server alive as well! I say, bravo!!

    ReplyDelete
    Replies
    1. it's only in 0patch pro but still it's better than paying for those extended updates

      Delete
  8. can i get micropatches freely through your app?

    ReplyDelete
    Replies
    1. Only some micropatches are available freely for non-commercial use as described here: https://0patch.zendesk.com/hc/en-us/articles/360018692514. Specifically, Windows 7 and Windows Server 2008 post-EOS micropatches will require a PRO or Enterprise license.

      Delete
  9. This comment has been removed by the author.

    ReplyDelete
    Replies
    1. Your question is entirely reasonable and smart. 0patch will definitely keep you safER compared to having no security patches after January 14, 2020. However, please read this FAQ article: https://0patch.zendesk.com/hc/en-us/articles/360009444420, and ideally also other FAQ articles in the "Windows 7 and Windows Server 2008 Post-End-of-Support Security Micropatches" section.

      Delete
  10. This comment has been removed by the author.

    ReplyDelete
    Replies
    1. Hi there, unfortunately we can't afford to provide our services for free - there's just far too much of work in building/maintaining the product, building micropatches, and providing support.

      Delete
  11. Hi there. I have one question about 0patch, does the client need to be constantly running? It’s 3 processes running simultaneously and I am curious. From what I’ve read the patches are applied while 0patch is running, if you terminate the .exe does that mean the effects are off? Does it have any impact while gaming, will it interfere while playing games? Tyvm for this wonderful tool. Kudos.

    ReplyDelete
    Replies
    1. In order for patches to be getting applied, two things need to be running: 0patch Service and 0patch Driver. (You'll see the former as 0patchService.exe in the list of running process.) Any additional processes such as 0patchTray.exe (shows popups), 0patchConsole.exe (local management), and 0patchScanner.exe (searching for patchable modules on the computer) are not necessary for patching.

      Delete
    2. Tyvm for the swift and clear reply. Glad to read I only need to have 1 .exe running. You didn’t say anything about the gaming aspect so I’m going to assume it does not interfere. Kudos. Will be recommending this tool to all my friends, long live Win7..eheheheh.

      Delete
    3. Apologies for overlooking your gaming-related question. Caution there: 0patch injects a DLL into all running processes, and some games go out of their way to prevent that, or at least detect it and kill themselves - all to prevent cheating (which is often done by injecting DLLs and hooking or patching the game). So it's quite likely that some games will have a problem with 0patch, but I expect most cases can be worked around by excluding the game's executables from getting injected by 0patch.

      Delete
  12. Thank you for this info. I have noticed Ubisoft’s anti-cheat program “BattleEye” excludes 0patch from being executed while trying to inject the game executable. Is there a way to prevent this patching attempt for games? Can it be done or it would just be better to terminate the 0patch executable and restarting it after playing? I have not tried other games yet because I have only been playing Ghost Recon: Breakpoint for the past 2 weeks (it does not affect the game due to the injection being denied by BattleEye). I wonder how other games will react to this, it definitely deserves an in depth look regarding gaming. Looking forward for any feedback on this subject. Cheers.

    ReplyDelete
  13. Hi there, I forgot to ask one thing about 0patch. You wrote and I quote “...can be worked around by excluding the game’s executables from getting injected by 0patch”. Mind explaining how is this done? How do I exclude 0patch from the game “s executable? Thank you in advance.

    ReplyDelete
    Replies
    1. If you want 0patch Agent to leave some of your processes alone (i.e., not even inject our loader into them), you can edit the registry value named HKLM\Software\0patch\ExcludeModules and enter in it names of all executable (.exe) files you want excluded, separated by pipe character ('|'). For example, to exclude Visual Studio 2010 Express Edition and notepad.exe from being injected by 0patch Agent, put "vcexpress.exe|notepad.exe" into said value. Then to enforce this new setting, you have to change the value of HKEY_LOCAL_MACHINE\SOFTWARE\0patch\CallbackKeys\UnloadLoaderDll\Counter to any other number than it already has (this removes the loader from all processes), and restart the 0patch Service service.

      If you can't resolve this yourself, please contact us at support@0patch.com and we'll post a solution here when we're done.

      Delete