Back in March 2016, Google security researchers found an exploitable vulnerability in Microsoft’s software that could allow a malicious hacker to elevate their privileges and get up to all sorts of mischief.
Microsoft patched the vulnerability as part of its June 2016 Patch Tuesday rollout. Or at least it thought it did.
By November, Google’s Project Zero bug-hunting team had discovered that Microsoft’s fix was unfortunately incomplete, and there were more ways to still exploit the vulnerability. Google informed Microsoft that they had 90 days to patch the flaw before the researchers’ findings would be made public.
To its credit it appears that Microsoft attempted to plug the security hole once and for all, and planned to include a fix in its regular Patch Tuesday bundle of security updates released in February, beating the deadline Google had imposed on it by several days.
But things didn’t go according to plan.1
At the last minute, Microsoft announced that – for the first time ever – it would not be releasing its regular Patch Tuesday update for February because of issues with the fixes that would potentially cause customers unspecified issues.
Obviously that was a shame, but it’s probably better to hold off on a security update that might cause more harm than the problem it is trying to fix.
Google, however, didn’t blink and sure enough published information about the security issue, even including proof-of-concept code to demonstrate how the flaw could be exploited.
The end result?
Google’s researchers give themselves a pat on the back. Microsoft’s security team feel terrible. And – most importantly of all – Microsoft users are left unprotected against a security hole whose details have now been made public knowledge by one of Microsoft’s major commercial competitors.
Something about this smells pretty rotten to me.
Microsoft is widely anticipated to properly fix the security hole in its March Patch Tuesday update, but that’s not scheduled to be released until March 14th.
Step forward third-party firm ACROS Security, who have produced their own temporary patch for the flaw that can be used to protect vulnerable Windows computers.
ACROS researcher Luka Teiber confirmed that Google’s report on the Microsoft vulnerability had provided all the clues he needed to replicate the issue and devise a fix:
I have to kindly thank Mateusz Jurczyk of Google Project Zero for a terse and accurate report that allowed me to quickly grasp what the bug was about and jump on to 0patching it.
Teiber and his team produced a video demonstrating the flaw (and the unofficial fix) in action.
Teiber says that his patch for Windows 10 64bit, Windows 8.1 64bit, Windows 7 64bit and Windows 7 32bit is temporary, and that it will stop being applied as soon as Microsoft’s own update fixes the issue.
Which begs the question – should you apply this third-party unofficial patch?
Well, that’s a question I cannot answer for you. It’s always better to get official security patches directly from the vendor, but when one isn’t yet available you need to judge for yourself whether you feel you might be at risk from attacks like this.
It goes without saying – whatever your decision – that the best defence is a layered defence. Don’t just rely on a patch for this particular issue but keep your computers and your sensitive data defended with a variety of protection mechanisms which includes keeping your operating system and applications updated, the very latest anti-virus software definitions and having appropriate privileges in place to manage users’ access controls.