0patch creates a 0-day patch for Windows gdi32.dll vulnerability before Microsoft
Following the revelation of vulnerabilities in Windows, Internet Explorer and Edge by Google, and the delaying of the traditional Patch Tuesday, Microsoft security update practices have been in the spotlight. Google's Project Zero has exposed security issues that Microsoft is yet to fix, so a third party has decided to step in to help out.
A new project going by the name of 0patch has created a "0patch" for a zero-day, addressing the Windows gdi32.dll memory disclosure (CVE-2017-0038) yet to be fixed by Microsoft. As the issue is unlikely to receive an official patch until at least the middle of March, this third-party option is all that's available for now.
The team behind the idea is ACROS security, and rather than just patching a single vulnerability as a one-off, it wants to create a new method of addressing security issues -- 0patching. This is a new technique that will allow vendors to deploy microscopic patches for vulnerabilities in their products, reducing the time between vulnerability discovery and patch application.
The first patch to be produced is for CVE-2017-0038.
Renata Stupar from ACROS Security says:
Microsoft will likely fix this issue with their next Patch Tuesday (March 14), so ours is the only patch available in the World until then. We'll also try to micropatch the other 0-day revealed by Google.
While 3rd-party patches are clearly highly valuable for such 0-days as there is no other efficient protection, we still expect most 3rd-party patches will aim to cover the "security update gap" where an official fix is already available but is being tested - leaving users exposed to "already patched" vulnerabilities.
While this certainly sounds great in principle, there is the slight obstacle of trust. Whether users of Windows are willing to place their trust in an unknown third party to address security issues is something that remains to be seen.
If you like the idea of patching the vulnerability, head over to 0patch to grab it.