0patch fixes major Windows Installer bug before Microsoft
Waiting for Microsoft to issue patches for bugs that have been discovered in its software can mean having to be very patient -- some updates just seem to take forever to appear. More than this, the bug fixes can introduce new problems of their own, so it's little wonder that third-party patching services such as 0patch have grown in popularity.
And once again, 0patch has managed to beat Microsoft in releasing a patch for a serious vulnerability. The company's latest patch addresses a local privilege escalation 0day in Windows Installer, and it's available well ahead of Microsoft's official fix.
- Microsoft releases Windows Terminal 1.6 Preview complete with new Settings UI
- Security researchers develop unofficial patch for drive-corrupting Windows 10 NTFS bug
- Microsoft reveals workaround to fix Conexant ISST audio driver problems in Windows 10
Details of the vulnerability were revealed just after Christmas by security researcher Abdelhamid Naceri. In addition to revealing the flaw, Naceri also produced a proof-of-concept. It was expected -- and hoped -- that Microsoft would jump on it and patch the issue quickly, but when Patch Tuesday rolled around this month, a fix was nowhere to be seen. This is why 0patch came to the rescue.
This vulnerability is a bypass of Microsoft's fix for CVE-2020-16902 (described by Abdelhamid in detail here), which was itself a bypass of Microsoft's fixes for CVE-2020-0814 and CVE-2020-1302 (also found by Abdelhamid), both of which were a bypass of Microsoft's fix for CVE-2019-1415 (found by SandboxEscaper and described here).
Confusing? Well, some things aren't easy to fix, and Windows Installer is a pretty complex beast that can break a leg if you fix its arm, and then break its tail when you fix the leg. So you want to be careful when fixing.
So 0patch was careful. And now the company has released a fix for Windows 7 and Windows 10 which forces Windows Installer to always use the c:\Windows\Installer\Config.Msi folder for rollback scripts. The company points out: 'it is running as Local System so permissions shouldn't be a problem, and a local attacker can't touch this folder in any relevant way".
As is always the case with 0patch, this particular fix is being made available to everyone free of charge until such a time when Microsoft releases its own official patch. To get started, you need to create an account in 0patch Central, install the client software and grab the patch. More details about the entire process, and the fix, can be found here.