Win 7 0patch micropatches: What are they, how they work, and are they any good?

Topic

New Reply

Looking at the description of the various Forums, this one seems like the most appropriate one for this entry. If I am wrong, please moderators, move it to its appropriate place and let me know if you did that.

Several days ago, in the thread started by Woody’s on “0patch’s micro-patching service for Windows 7”, of real interest to Win 7 users after this veteran system’s EOL, now less than three and a half months away, DrBonzo asked a question that has not been answered, so far, and I believe it is an important one, if one thinks seriously of taking a subscription of this 0patch support beyond MS’ support ends. I believe this question to be most relevant and deserving of an answer that is neither too technical,  jargon-loaded, nor too terse.

This is the point made by DrBonzo that am now quoting here, in the hope of some responses with good explanations:

“I consider myself to be a non-techie, but something just doesn’t seem to add up here.

Either I’m inferring or 0patch is implying (or a combination of those two) that bugs, holes, vulnerabilities – whatever you want to call them – that are found in the Windows 7 operating system can be effectively patched with a “few lines” of code. If that’s true, why would Microsoft not also patch in this manner instead of the massive 400MB (roughly) Rollup and 80MB (roughly) Security Only patches? It would seem that the “few lines” patches would be far easier to test and fix if issues with said patches were found. I would think that MS would be all over this “few lines” patching method. Can someone enlighten me why they aren’t, and while you’re at it whether the “few lines” patching method is actually any good?”

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

2 users thanked author for this post.

LHiggins, DrBonzo

Reply | Quote

Replies

It is not necessarily that the testing is easier or harder. No one has really defined what “a few lines of code” means. If all you are doing is replacing code it is not too bad. But, managing small patches can be quite challenging when you have to add code.

I’m sure Microsoft has found it much easier and more reliable to do a full replacement of all the involved elements.

--Joe

2 users thanked author for this post.

woody, DrBonzo

Reply | Quote

A “few lines of code” are 99.9999999999999% of the time a few lines of code in a file of very many more lines.  Patching those few lines means re-writing those lines in the source code, then re-compiling the source code into a Windows file.

In order to issue a patch for those “few lines of code”, the edited and recompiled Windows file must be replaced, not just the “few lines of code”.  That’s what increases the size of the patch.  A “few lines of code” here and there would almost surely involve several Windows files here and there, each of which must be replaced in the update process.

Hence the patch is larger than one might expect.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

3 users thanked author for this post.

DrBonzo, OscarCP, LHiggins

Reply | Quote

bbearren #1967469  : Thanks for such a clear answer. To me this prompts now a follow-on question:

The 0patch “micropatches” (I believe now that ironic quotation marks might be in order) have been presented earlier on as a continuation of Windows 7 patching beyond EOL next January, when MS will no longer be supporting with patches (except, perhaps, under some exceptionally rare, dire circumstances, as it has been doing with XP) the veteran system some of us want to keep using even so and for much longer. If there are no large files of patches to be micropatched, because there are no more MS patches, what will then the micropatches patch?

 

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Hi everyone,

I’m Mitja Kolsek, co-founder of 0patch, and I’d like to clarify what a micropatch is and how it works.

A micropatch is actually just a couple of CPU instructions that get inserted into the original code of an executable module (e.g., EXE or DLL) to correct a security flaw. This insertion only happens in memory of a running process, so the executable file is never modified.

If you keep Windows 7 updated up to and including the January 2020 updates, our micropatches will be able to patch your Windows as they subsequently turn out to be vulnerable to newly discovered security issues. For example, in January 2021 you’ll still have the same Windows 7 binaries on your computer, but some of them will get micropatched every time they get loaded in a process. (Note: we only plan to micropatch high-risk issues as explained here: https://0patch.zendesk.com/hc/en-us/articles/360009439780.)

I warmly welcome anyone looking for more information to our FAQ at https://0patch.zendesk.com/hc/en-us/categories/200441471-Frequently-Asked-Questions in case I’m not able to reply here in a timely manner.

Thank you!

Mitja Kolsek, 0patch co-founder

6 users thanked author for this post.

Kaj4strom, woody, Pierre77, DrBonzo, LHiggins, OscarCP

Reply | Quote

Thank you, Mitja Kolsek for yor explanation about your micropatches and the additional one in the “0patch” articles to which you have provided links.

Among the various issues explained in the articles, the following are, to me at least, particularly interesting:

“We plan to provide these micropatches for at least one year (until, including, January 2021 Patch Tuesday) but depending on the demand (and the amount of Windows 7 and Windows Server 2008 computers protected with 0patch) we may extend that period.”

“Apply all official Windows updates to your Windows 7 and Windows Server 2008 computers up to the latest ones, and also any subsequent updates that Microsoft may issue (like they have issued EternalBlue and BlueKeep updates for Windows XP and Windows Server 2003 after their support had ended).”

“… From time to time, a vulnerability may be found in Windows 7 or Windows Server 2008 that would require a significant redesign of some important functionality that you can’t afford to disable.”
“Issues like these will accumulate in time and slowly chip away at your computer’s security without us being able to help. This is why you should consider our micropatches for Windows 7 and Windows Server 2008 as a temporary solution to buy you more time for migrating to a supported OS type and version.”

“Allow your 0patch-protected computers to connect to 0patch server for periodic syncing in order for them to receive new micropatches and in order for you to remotely manage them (included in the Enterprise license).“

I also gather that the micropatches will be applied “in memory”, meaning only during the execution of those executable application and operating system’s files that may need them, to make their execution safe from new threats discovered “in the wild”. That is, apparently, it might seem, as long as these files are kept in a mass-storage drive, HD or SSD, and not in firmware, unlike the elements of the BIOS, EFI, UEFI. Although, as I understand it, while some of these run only on firmware, others can also run on the main mass-storage devices: if so, does this make any difference from the point of view of micropatching?

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

2 users thanked author for this post.

LHiggins, Pierre77

Reply | Quote

0patch can currently only micropatch user-space Windows processes. Providing support for kernel micropatches is in the pipeline but you should know that the highest-risk vulnerabilities (those allowing for remote code execution) are mostly located in user-space code. 0patch can’t micropatch BIOS, EFI/UEFI, or any other component outside of Windows processes (and kernel at some point).

Mitja

5 users thanked author for this post.

OscarCP, satrow, woody, LHiggins, PKCano

Reply | Quote

Thanks – and welcome to the AskWoody cabal….

2 users thanked author for this post.

OscarCP, satrow

Reply | Quote