0patch Security-Adopts Windows 10 v21H1 to Keep it Running Securely

 

 

This month brought the last security updates for Windows 10 version 21H1. What if your organization is still using it and doesn't want to - or can't - upgrade it yet?

Don't worry, we have previously security-adopted Windows 10 v1803 and v1809, and subsequently Windows 10 v2004 and v1909. Now it wouldn't be fair if we didn't also security-adopt version 21H1.

So we have.

If you're running Windows 10 v21H1 in your organization, all you need to do is install 0patch Agent on these computers and register it to an account with PRO or Enterprise subscription, and you'll start receiving critical security patches as soon as we issue them.

These micropatches will be included in 0patch PRO and Enterprise licenses along with all other micropatches we're issuing - which means that users protecting their Windows 10 v21H1 with 0patch will also receive our micropatches for "0day" vulnerabilities in various products.

In order to have our micropatches applied, Windows 10 v21H1 will have to have December 2022 Windows Updates (the last official updates for this version) installed.

We welcome all interested organizations to contact sales@0patch.com for information about pricing, deployment, or setting up a trial.

P.S.: We're getting close to Windows Server 2012 end of official support by Microsoft in October 2023. You guessed it, we're going to security-adopt this server as well, in case you're already getting nervous about that. This is a good time for you to start a free 0patch trial, so send an email to sales@0patch.com.

To learn more about 0patch, please visit our Help Center.

Micropatches for Type Confusion in Internet Explorer's JScript9 Engine (0day, now CVE-2022-41128)

With November 2022 Windows Updates, Microsoft fixed a vulnerability in Internet Explorer's JScript9 engine that was found being exploited by North Korean government-backed actors known as APT37. The vulnerability is of a "type confusion" sort, which means that malicious JavaScript code can confuse the JavaScript engine into thinking that a certain object is of one type (in our case, Int32Array) while it's actually of another type (in our case, Object) - and that quickly leads to reading or writing memory addresses that were not supposed to be available to said code. From that point on, arbitrary code execution can be achieved.

Benoît Sevens and Clément Lecigne of Google's Threat Analysis Group (TAG) have written a very good analysis of this vulnerability including a minimized proof of concept. This made it possible for us to create a patch for affected "security-adopted" Windows systems that no longer receive official fixes from Microsoft.

Microsoft assigned this issue CVE-2022-41128 and fixed it by removing a code branch that was dependent on a call to function ShouldExpectConventionalArrayIndexValue; in the patched code, this function call is skipped so the code always continues down the same path. 

Admittedly, we did not investigate what really went wrong with this vulnerable code and just logically replicated Microsoft's patch as we trust they know what they're doing. Our micropatch thus only has one instruction that jumps over the now-excluded code:

MODULE_PATH "..\Affected_Modules\jscript9.dll_11.0.9600.19597_Win7_64-bit_NoESU\jscript9.dll"
PATCH_ID 1192
PATCH_FORMAT_VER 2
VULN_ID 7598
PLATFORM win64

patchlet_start
    PATCHLET_ID 1
    PATCHLET_TYPE 2
    PATCHLET_OFFSET 0x2156e
    N_ORIGINALBYTES 5
    JUMPOVERBYTES 0
    PIT jscript9.dll!0x21581
    
    code_start
        jmp PIT_0x21581   ; jump over the excluded code block
    code_end
patchlet_end

The micropatch was written for the following Versions of Windows with all available Windows Updates installed:

1. Windows 10 v2004
2. Windows 10 v1909
3. Windows 10 v1809
4. Windows 10 v1803 
5. Windows 7 without ESU, with year 1 of ESU and with year 2 of ESU
6. Windows Server 2008 R2 without ESU, with year 1 of ESU and with year 2 of ESU

 

 

This micropatch has already been distributed to all online 0patch Agents with a PRO or Enterprise license. To obtain the micropatch and have it applied on your computers along with our other micropatches, create an account in 0patch Central, install 0patch Agent and register it to your account with a PRO or Enterprise subscription. Note that no computer restart is needed for installing the agent or applying/un-applying any 0patch micropatch.

To learn more about 0patch, please visit our Help Center. For a trial or demo please contact sales@0patch.com.

We'd like to thank Benoît Sevens and Clément Lecigne of Google's Threat Analysis Group (TAG) for publishing their analysis and providing a proof-of-concept that allowed us to reproduce the vulnerability and create a micropatch. We also encourage security researchers to privately share their analyses with us for micropatching.

Micropatches for Remote Code Execution in Windows Enterprise App Management Service (CVE-2022-35841)

 

September 2022 Windows Updates brought a fix for a remotely exploitable vulnerability in the Enterprise App Management Service, discovered by security researcher Ceri Coburn of Pen Test Partners. On October 13, they published a blog post describing the vulnerability in detail, and a proof-of-concept.

The Enterprise App Management Service allows Windows admins to centrally perform various installation and application provisioning-related actions on multiple Windows computers in the network. Due to lax permissions, a non-admin attacker could perform the same actions, potentially leading to a malicious application being installed and launched on the target computer.

Microsoft's patch added code for checking whether the requestor has administrative privileges on the computer, and our patches do logically the same.

Microsoft assigned this vulnerability CVE-2022-35841.

Our micropatches were written for the following Versions of Windows with all available Windows Updates installed:

1. Windows 10 v2004
2. Windows 10 v1909
   
3. Windows 10 v1809
   
4. Windows 10 v1803

 

Micropatches have already been distributed to all affected online computers running 0patch Agent with PRO or Enterprise license. To obtain the relevant micropatch and have it applied on your computers along with our other micropatches, create an account in 0patch Central, install 0patch Agent and register it to your account with a PRO or Enterprise subscription. Note that no computer restart is needed for installing the agent or applying/un-applying any 0patch micropatch.

To learn more about 0patch, please visit our Help Center. For a trial or demo please contact sales@0patch.com.

We'd like to thank Ceri Coburn and Pen Test Partners for publishing their analysis and providing a proof-of-concept that allowed us to reproduce the vulnerability and create a micropatch. We also encourage security researchers to privately share their analyses with us for micropatching.