Last week I wrote about a third-party patch for an unsolved Windows 10 vulnerability. The patch was issued by security team 0patch (part of Acros Security). Now the company has released a new patch for a zero day vulnerability that affects Internet Explorer 11. In an email, the team explained to me why it is issuing these fixes and how Microsoft may be able to avoid such problems.

Before getting to that, there is plenty of back story here. Back in February, Google Project Zero announced it had discovered two zero day vulnerabilities, one in Windows 10 and one in Internet Explorer. Project Zero gives software companies 90 days to fix these issues before going public. Microsoft missed the cut off.

The company also cancelled its February Patch Tuesday cumulative updates due to an unnamed late issue. Perhaps this was to concentrate on solving the zero-day vulnerabilities. Either way, Microsoft is expected to fix the Windows 10 and IE 11 issues during Patch Tuesday on March 14.

However, the 0patch team thinks users shouldn’t have to wait so long to get patch fixes. The team is dedicated to stopping zero-day vulnerabilities as quickly as possible. Last week, the company rolled out a fix for the Windows 10 flaw.

Today, 0patch had also solved the IE11 problem, which it calls a “more critical vulnerability”. In a blog post, the team says its fix fills the “vacuum” Microsoft creates between Patch Tuesday releases. The IE11 vulnerability is reported to allow remote code execution. Luka Treiber from the 0patch team explains how this confusion vulnerability works:

“The PoC is a short HTML file in which – upon opening in IE11- JavaScript dynamically reformats StyleSheet properties of an HTML table in a way that causes type confusion, ending in a crash. Inspecting the crash with Application Verifier enabled and WinDbg attached I got the same results as reported.”

0patch

While it is good to have a third-party making these fixes, there are a few questions that I think need to be answered. Firstly, why is Acros Security doing this? And secondly, what happens to these third-party patches when Microsoft releases an official fix? Naturally, I reached out and asked.

0patch answers the second question in its blog post today. Once Microsoft releases an official fix, the vulnerable mshtml.dll and the third-party patch will be automatically overridden. The company explains that this happens because the fix is strictly tied to the vulnerable dll.

In an email, the 0patch team told me that through years of working with clients, the company has become frustrated that there has been little improvement in stopping attackers. Micropatching is a way to bridge the gap between “fat updates” that many software companies now favour.

Incidentally, Microsoft uses fat updates for Windows 10 and other services. The company rolls out cumulative updates monthly, but rarely deals with issues in the interim. The 0patch team tells me they sympathize with Microsoft as preparing complex fixes is hard, which is why the Project Zero deadline may have been missed.

However, the company adds that users would benefit if Microsoft took a micropatching approach:

“If companies like Microsoft used micropatching for fixing individual vulnerabilities, they wouldn’t have to bundle them together and delay them all because of problems with some. Ideally, they could reduce their Patch Tuesdays to bi- or tri-monthly updates, and fix the security bugs quickly inbetween.”