Third-party releases ‘nano-patch’ for Microsoft zero day bug
The delay in last month’s Patch Tuesday fixes has caused considerable angst given there were several known problems, including two disclosed by Google.
Microsoft is on track, as far as we know, for a patch release next week, but one company isn’t waiting. It has issued its own fix for a minor bug.
A U.K. security company called ACROS Security has released what they call their first “nano-patch” for CVE-2017-0038, a bug in EMF image format parsing logic that does not adequately check image dimensions specified in the image file being parsed against the amount of pixels in the file.
If image dimensions are large enough, the parser is tricked into reading memory contents beyond the memory-mapped EMF file being parsed. An attacker could use this vulnerability to steal sensitive data in memory or as an aid in other exploits when ASLR needs to be defeated.
This is one of the two bugs Google publicly disclosed after 90 days passed from the time it informed Microsoft of its findings. Google’s zero-day researchers have a strict rule: if a company does not patch a bug by 90 days after being informed of its existence, Google goes public to light a fire under them. It has done this twice in two weeks with Microsoft.
The programmer of the fix goes into excruciating technical detail on how the bug works, how it can be exploited and how it’s fixed. The free patch is available for Windows 10 (64-bit), Windows 8.1 (64-bit), and Windows 7 (64-bit and 32-bit) and is meant to serve as a temporary solution until Microsoft releases its own fix.
Needless to say, the dudes at Microsoft do not abide this patch. “We’re unable to endorse unverified third party security updates. Our security updates are tested extensively prior to release, and we recommend customers enable automatic updates to receive the latest protections when available,” said a Microsoft spokesperson in a statement to me.
The next scheduled Patch Tuesday will come in two weeks on March 21.