Skip to content
Naked Security Naked Security

What happens when a vendor doesn’t patch its software?

Third-party 'guerilla' patching can be a good example of the community stepping up to fix flaws - but it could also compromise security

Microsoft engineers won’t be happy this month, thanks to the community-minded actions of a Github user named Zeffy. Not content with the way that Redmond was updating its software, he decided to patch Microsoft’s patch.

Zeffy is irritated with Microsoft’s decision to stop updating Windows 7 and 8.1 on newer CPUs. The company, which worked hard to push users to upgrade to Windows 10, announced in January last year that it would not update versions of these older operating systems running on seventh-generation processors (that’s Kaby Lake silicon from Intel, and Bristol Ridge silicon from AMD). A select set of products using sixth-generation Skylake processors would continue to get support until the middle of this year, it said.

On April’s patch Tuesday, the policy finally took effect. Microsoft’s update messages told users of older operating systems using seventh-gen chips that their combinations of Windows version and CPU were not supported. Windows 7 and 8.1 users running Intel seventh-generation Core processors, along with AMD “Bristol Ridge/Ryzen/Zen,” and Qualcomm 8996 chips are being locked out of updates, according to Bleeping Computer.

“A giant middle finger”

In the Readme.md file on his Github repo, Zeffy calls this “a giant middle finger to anyone who dare not ‘upgrade’ to the steaming pile of garbage known as Windows 10”.

He took matters into his own hands, expanding the Microsoft update file so that he could see all the update files it contained. Then, he excluded all the binaries that were related to Windows Update, leaving him with 14 files. He compared those with the ones already on his system, and found one file containing two functions: IsDeviceServiceable and IsCPUSupported. He patched the file to bypass those functions, preventing Windows Update from checking to see whether it liked the host CPU or not.

This isn’t the first time that one person has patched another’s software. Naked Security has already written about Operation Rosehub, a volunteer effort by 50 engineers patching open source projects that used a flawed version of the Apache Common Collections library. Many projects used this code, including WebLogic, WebSphere, JBoss, and Jenkins. No one came to patch many open-source projects relying on the Apache library, so Google stepped up.

Another example of guerrilla patching is 0patch, a project from Slovenian consulting firm Acros Security. This approach uses what the firm calls “micro-patching“, in which the binary isn’t modified at all. Instead, the patches are in-memory changes, typically shorter than a tweet, that block malware trying to exploit a particular vulnerability.

The idea is to quickly patch binaries against specific exploits before the vendor can. In many cases, it can be easier to install a targeted in-memory patch than to try and test a bundle of different patches that will affect binaries directly, explained Acros co-founder Mitja Kolsek.

Working around inadequate patching policies

These different approaches to guerrilla patching highlight existing problems with software updates.

0patch has appeal because it’s an easier way for enterprise admins to protect their software without relying on binary patches that may break the systems. The project has now issued more than 300 patches for various products, many of which were not zero-days.

Like 0patch, Operation Rosehub has appeal because in some cases, vendors simply don’t patch vulnerabilities quickly enough. In Google’s case, the problem lay with open-source projects for which no single person has responsibility. This highlights one of the key problems with open source: many eyes may eventually start a problem, but no one may step up to fix it.

Zeffy’s case highlights something different altogether: selective patching, designed to support a vendor’s own agenda at the expense of its users. Microsoft’s decision to stop updating Windows 7 and 8.1 on current-generation processors furthers its own agenda, which has always been to force as many Windows users to upgrade to Windows 10 as possible.

Microsoft explains this by arguing that developers would have to work too hard to support “Windows 7’s expectations” when running on newer silicon. Nevertheless, it in effect holds users of older versions to ransom, which is what irked Zeffy so much.

This is unfortunate, because fighting the security battle is already hard enough. We should be able to rely on software vendors to support their products on all platforms until their official end of life. Microsoft has vowed to offer extended support for Windows 7 – which includes security updates at no extra charge – until January 2020. Windows 8 gets extended support until January 2023.

If patches themselves become a battleground, and users who don’t want to upgrade their OS must begin hunting around for tools that let them patch vendors’s own patches, then system protection – already a complicated and uncertain process – becomes even more daunting for that vast majority of users that simply wants to feel safe when using their operating system. Zeffy’s irascible fix might not be the last.


12 Comments

Zeffy is a moron…. anyone who fails to see that the average person would be left trying to figure out the issues this may cause, is very narrow minded. If all our parents followed this dorks advice and use his patch, we will be expected to fix the issues. Everyone knows that eventually you must upgrade your hardware.

Hey, where is my patch I want Windows NT back? Geeeeeese come on.

If Microsoft didn’t want to update Windows 7 until 2020 and Windows 8 until 2023, they shouldn’t have said that. Zeffy going around the “older CPU” block to get patches for his system is irrelevant. This is an issue with Microsoft not updating older operating systems, as they said they would, using hardware as the deciding factor. I personally don’t find Windows 10 the “steaming pile” that Zeffy thinks it is, however if I had a 7th gen CPU and wanted to continue using Windows 7 or 8, I shouldn’t require a special process to do so. Microsoft is advancing their agenda to get people to upgrade to Windows 10 if on newer hardware or risk being vulnerable to security deficiencies on their operating system. Bottom line is that Windows 7 and 8 are not at their End Of Life dates and as such, should continue to receive security patches.

Correction: I meant to say “older OS” in the second sentence, not “older CPU”.

That’s right , still using a Microsoft product but am getting better versed with Linux for the eventual shift , need to know what’s required before making the move but I like what I have seen so far and it put Microsoft to shame!!!

The only moron in this conversation is Microsoft , they do not have the right to tell me what processors I’m allowed to use in my equipment , they are selling an operating system only and not the best one available and trying to dictate what equipment their customers can use. (edited to remove profanity)

I’d be glad to update our companies OS, if there was a proper option. W10 is junk bloatware for a business. For gaming the same thing. Every time MS releases something new/rehash, it becomes more bloated, more complicated to use, more risk issues. Business (and gamers) want a stripped down OS, efficient. MS is more like a dictator than a product. Oh sure they make a crippled version for home users, that just adds commands to limit things, but its still the same crap, not better performing.
Back when,,,, we hacked XP down under 70mb in memory and it rocked for gaming (would have been good for work too if we hadn’t taken all print function out)
If MS doesn’t make a better product, someone else will, and will take their market (fingers crossed sooner than later).

If MS doesn’t make a better product, someone else will, and will take their market (fingers crossed sooner than later).

Linux?

Not a chance. Linux still doesn’t allow users to run the software that they need. No Adobe, no real Presentation software (like for churches, concerts, etc.), poor multi-monitor support beyond 2 screens, lack of fully featured office apps (no macros in the linux alternatives), lack of top games, I could go on and on.

Linux still doesn’t allow users to run the software that they need

Well if you need to run a Windows program you have to use (the correct version of) Windows or emulation – like when you need to run a Mac (or DOS) programme under Windows. If however your needs are expressed as “general functionality” there are numerous Linux options (the problem if anything is too many options)
So
– if you “need Adobe” as in reading and writing pdf’s there are alternatives to Acrobat that run under Linux (and Windows).
– if you “need “Adobe” as in photo-editing, why aren’t you using a Mac – which is probably better than Windows or Linux (which does have photo editing software)
– if you need presentation software (like Powerpoint), Open Office has Impress which certainly meets my needs for projected slides.
– Open Office or Libre Office are both fully featured office suites – albeit they use options other than MS VBA for programming (Open Basic, Javascript, BeanShell, Python).
– I have never gone beyond two screens but would expect there to be solutions out there (Search “Linux Multi-screen”)
– Games? Yeah, Linux isn’t intended for the “top games”. But is Windows best for games or is a dedicated games system a better bet?

Some Linux users curse Windows for not providing the functionality they need!

I sure wish there was a real alternative to Windows and Office. Until then, we’re stuck with it, and that’s not a pretty picture (with the way Windows is going.)

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?