• Worried about the ADV200001 JScript bug? 0patch to the rescue

    Posted on January 23, 2020 at 06:04 CST by Comment in the Forums

    As far as I can tell, it’s only a problem for a very select group of unfortunate targets, but if you’re concerned about the recently-announced JScript bug (see Yet another JScript vulnerability) documented in MS Advisory ADV200001, CVE-2020-0674, there’s a patch from 0patch that should be of interest.

    In case you’re new to 0patch, the approach is tricky but straightforward: Mitja Kolsek’s team comes up with tiny tweaks to Windows itself that fix bugs. When Microsoft finally releases a patch, the 0patch change will get overwritten by the new Windows code.

    Per Kolsek:

    Last Friday, Microsoft published an advisory about a remotely exploitable memory corruption vulnerability (CVE-2020-0674) that was reported to them by Qihoo 360 as being exploited in the wild. These attacks were reportedly limited so Microsoft decided not to rush with issuing a patch but will rather provide one as part of February’s Patch Tuesday. They did, however, provide a workaround.

    Because the provided workaround has multiple negative side effects, and because it is likely that Windows 7 and Windows Server 2008 R2 users without Extended Security Updates will not get the patch at all (their support ended this month), we decided to provide a micropatch that simulates the workaround without its negative side effects.

    What does Microsoft say about issuing a fix for Win7? Nothing. Per the Advisory:

    Is there an update to address this vulnerability?

    No, Microsoft is aware of this vulnerability and working on a fix. Our standard policy is to release security updates on Update Tuesday, the second Tuesday of each month. This predictable schedule allows for partner quality assurance and IT planning, which helps maintain the Windows ecosystem as a reliable, secure choice for our customers.

    To get the micropatch, you have to download and install the 0patch enabling software.

    Martin Brinkmann has more details on ghacks.net.

    Windows Patches/Security
DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • Knowledge Base
  • How to use the Forums
  • All Forums

    • Recent Topics

    My Profile

    April 2025
    S M T W T F S
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  

    Remembering Woody

     

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.