0Patch Micropatches Released to Address 3 Zero-Day Windows Flaws

0Patch has released a micropatch to address three zero-day Windows flaws that have yet to be addressed by Microsoft, including a zero-day remote code execution vulnerability in the Windows Contacts app.

The 0Patch platform allows micropatches to be quickly distributed, applied, and removed to/from running processes without having to reboot computers or even restart processes. The platform is still in beta, although testing and tweaking is almost at an end. 0Patch has already released a number of micropatches to address zero-day vulnerabilities in Microsoft products to help businesses temporarily mitigate vulnerabilities until a full patch is released.

The latest round of fixes address three recently discovered vulnerabilities in Microsoft products.

The first patch addresses a flaw dubbed AngryPolarBear which was discovered by security researcher SandboxEscaper who published a proof-of-concept exploit for the flaw in December. While the flaw does not allow remote code execution, an attacker could leverage the vulnerability to overwrite important system files, which could be used in DoS attacks.

The flaw allows a local unprivileged process to get a chosen system file on a vulnerable device overwritten in the context of a Windows Error Reporting XML file. The PoC allows the XML file to be replaced with a hard link to the chosen target. An attacker will not have much control over the content of the XML file, but could exploit the flaw to corrupt the critical system file pci.sys, and thus prevent the system from booting. The patch stops the XML file from being deleted.

The second patch also addresses another flaw uncovered by SandboxEscaper, which has been dubbed readfile. A PoC exploit was also published in December. This flaw is present in the Windows Installer and could allow an attacker to obtain sensitive information. The flaw can be exploited by an unprivileged process and allows arbitrary files to be read – in the case of the PoC, the desktop.ini file.

The third patch addresses a flaw in the Windows Contacts app which, if exploited, could lead to remote code execution on a vulnerable device. The flaw was uncovered by ZDI researcher John Page who submitted the flaw to Microsoft, which exceeded the 90-day window for issuing a fix. Microsoft has announced that it will not be issuing a patch to correct the flaw, so while micropatches are intended to be temporary fixes, this one is likely to be permanent.

The flaw is present in the way that .Contact and .VCF contact information is stored and processed on Windows Vista to Windows 10 OSes. The flaw allows the creation of a contact file that has a malicious payload in a sub-directory, with will be run when the user clicks the link in the contact file.

The Micropatches are delivered through the 0Patch platform which can be installed free of charge. The Micropatches have been developed for Windows 10 and Windows 7 (for the second two vulnerabilities). Support at 0Patch should be contacted for patches for other vulnerable Windows versions.

Author: NetSec Editor