0patch pushes out another Windows patch, but will leave the real work to Microsoft
Last week 0patch produced what was described as the first 0-day patch for Windows in lieu of Microsoft's usual Patch Tuesday release. It came after Google revealed a pair of vulnerabilities affecting IE/Edge and Windows.
Having addressed the problem in Windows, 0patch is at it again, this time patching the "type confusion" bug (CVE-2017-0037) that plagues Internet Explorer and Edge. This patch is described as an attempt to "release a simple temporary patch that blocks an attacker than try to create a perfect patch", and it's available for anyone who is willing to place their trust in third-party patching.
Luka Treiber from 0patch says that the patch addresses an issue that is more serious than the hole plugged by the first release. As there is the potential for remote code execution, it was felt there was a need to get a fix of some sort out there as soon as possible. The company recognizes that an official patch will be forthcoming, however, and that Microsoft is in a better position to fix things properly:
We['d] rather release a simple temporary patch that blocks an attacker than try to create a perfect patch. A much thorougher and better analysis of this bug can and will be done by Microsoft. Browsers are certainly among the most complex applications so with my black box analysis tools and a limited time-frame I don't fool myself that I could get to the bottom of all the weird things an HTML apparatus does. On the other hand Microsoft developers have the source code, the right tools and knowledge to properly fix this bug and probably won't even blink while getting it done.
Explaining its role in patching Microsoft's security hole, 0patch says:
Microsoft will likely fix this issue next week, but in many large networks their update will not be applied any time soon, as it will have to be thoroughly tested before admins dare to deploy it. We're hoping to "fix the fixing" by developing a so-called "0patch" technology that will allow vendors to deploy low-risk, instantly retractable microscopic patches for vulnerabilities in their products, dramatically decreasing the time between vulnerability discovery and patch application.
Whether people are more willing to trust an essentially unknown third party while they wait for an official patch remains to be seen. The company concedes that the official patch is highly recommended:
Feel free to use 0patch Agent with this patch to protect yourself from attacks against CVE-2017-0037 until Microsoft provides an official fix (which we absolutely recommend you apply). Just remember that we're still in beta ;-)