Micropatches block exploitation of Windows zero-days under attack
While we wait for Microsoft to provide fixes for the two new Windows RCE zero-days that are being exploited in “limited targeted Windows 7 based attacks,” ACROS Security has released micropatches that can prevent remote attackers from exploiting the flaws.
About the micropatches for Windows zero-days
In a blog post published on Thursday, ACROS Security CEO Mitja Kolsek explained which attack vectors can be used to exploit the vulnerabilities and why Windows 10 users are at a lower risk of attack.
He also went through the each of the mitigations recommended by Microsoft and explained the pros and cons of implementing each of them, as well as noted that their own micropatches protect only against remote attack vectors.
“Obviously we can’t patch these vulnerabilities because we don’t know what they are, but we can infer from Microsoft’s advisory that blocking Adobe Type 1 PostScript fonts from reaching the vulnerable kernel parsing code would block attacks,” he explained.
“So we decided to find the common execution point that various Windows applications such as Windows Explorer, Font Viewer, and applications using Windows-integrated font support are using to pass a font to Windows, then place a bouncer there that would keep Adobe Type 1 PostScript fonts out.”
And so they did.
0patch
The micropatches are implemented through 0patch, the company’s platform for distributing, applying and removing microscopic binary patches to/from running processes. For the time being (and until Microsoft releases the fixes), users of the free subscription tier will also be able to implement it.
Also for the time being, micropatches are only available for fully updated Windows 7 64-bit and Windows Server 2008 R2 without Extended Security Updates (ESU).
“This provides protection for our users who continue using these Windows versions but were unable or unwilling to obtain ESU, and are now, somewhat ironically, the only Windows users with a patch for these vulnerabilities,” Kolsek noted.
They will continue porting it to other affected Windows versions but not Windows 10 and newer Windows Server versions because the exploitation risk is lower on those.