Industry News

Third party patch released for Microsoft zero-day that Google made public

Back in March 2016, Google security researchers found an exploitable vulnerability in Microsoft’s software that could allow a malicious hacker to elevate their privileges and get up to all sorts of mischief.

Microsoft patched the vulnerability as part of its June 2016 Patch Tuesday rollout. Or at least it thought it did.

By November, Google’s Project Zero bug-hunting team had discovered that Microsoft’s fix was unfortunately incomplete, and there were more ways to still exploit the vulnerability. Google informed Microsoft that they had 90 days to patch the flaw before the researchers’ findings would be made public.

To its credit it appears that Microsoft attempted to plug the security hole once and for all, and planned to include a fix in its regular Patch Tuesday bundle of security updates released in February, beating the deadline Google had imposed on it by several days.

But things didn’t go according to plan.1

At the last minute, Microsoft announced that – for the first time ever – it would not be releasing its regular Patch Tuesday update for February because of issues with the fixes that would potentially cause customers unspecified issues.

Obviously that was a shame, but it’s probably better to hold off on a security update that might cause more harm than the problem it is trying to fix.

Google, however, didn’t blink and sure enough published information about the security issue, even including proof-of-concept code to demonstrate how the flaw could be exploited.

The end result?

Google’s researchers give themselves a pat on the back. Microsoft’s security team feel terrible. And – most importantly of all – Microsoft users are left unprotected against a security hole whose details have now been made public knowledge by one of Microsoft’s major commercial competitors.

Something about this smells pretty rotten to me.

Microsoft is widely anticipated to properly fix the security hole in its March Patch Tuesday update, but that’s not scheduled to be released until March 14th.

Step forward third-party firm ACROS Security, who have produced their own temporary patch for the flaw that can be used to protect vulnerable Windows computers.

ACROS researcher Luka Teiber confirmed that Google’s report on the Microsoft vulnerability had provided all the clues he needed to replicate the issue and devise a fix:

I have to kindly thank Mateusz Jurczyk of Google Project Zero for a terse and accurate report that allowed me to quickly grasp what the bug was about and jump on to 0patching it.

Teiber and his team produced a video demonstrating the flaw (and the unofficial fix) in action.

Teiber says that his patch for Windows 10 64bit, Windows 8.1 64bit, Windows 7 64bit and Windows 7 32bit is temporary, and that it will stop being applied as soon as Microsoft’s own update fixes the issue.

Which begs the question – should you apply this third-party unofficial patch?

Well, that’s a question I cannot answer for you. It’s always better to get official security patches directly from the vendor, but when one isn’t yet available you need to judge for yourself whether you feel you might be at risk from attacks like this.

It goes without saying – whatever your decision – that the best defence is a layered defence. Don’t just rely on a patch for this particular issue but keep your computers and your sensitive data defended with a variety of protection mechanisms which includes keeping your operating system and applications updated, the very latest anti-virus software definitions and having appropriate privileges in place to manage users’ access controls.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

2 Comments

Click here to post a comment

  • As you said Graham " Something about this smells pretty rotten to me" Google must be downing a few beers whilst MS are just Down about the whole issue !

  • I wonder what the idiots at Google would have said if the shoe had been on the other foot and someone had published a weakness in their program and the methods to exploit it. Just plain stupid.