So I learned something new today: there are companies that provide security patches for Windows that aren’t Microsoft. I never even considered this could be a thing, but it turns out that a paid service called 0patch seems to have been around for a long time, and the consensus seems to be that not only can it be trusted, it also sometimes provides patches sooner than Microsoft does. Today, 0patch announced it’ll also be providing this service for Windows 10 after the end of support next year.
With October 2025, 0patch will “security-adopt” Windows 10 v22H2, and provide critical security patches for it for at least 5 more years – even longer if there’s demand on the market.
We’re the only provider of unofficial security patches for Windows (“virtual patches” are not really patches), and we have done this many times before: after security-adopting Windows 7 and Windows Server 2008 in January 2020, we took care of 6 versions of Windows 10 as their official support ended, security-adopted Windows 11 v21H2 to keep users who got stuck there secure, took care of Windows Server 2012 in October 2023 and adopted two popular Office versions – 2010 and 2013 – when they got abandoned by Microsoft. We’re still providing security patches for all of these.
↫ Mitja Kolsek on the 0patch blog
This service implements patching through what it calls “micropatches”, which are very small sets of CPU instructions injected into running code in memory without modifying – in this case – Microsoft’s own code. These micropatches are applied by briefly stopping the offending program, injecting the fix, and continuing the program – without having to close the program or reboot. Of course, they can be unapplied in the same, non-disruptive way. The 0patch service will provide patches for 0days that Microsoft hasn’t fixed yet, patches for issues Microsoft won’t fix, and sometimes patches for third party code.
As the headline clearly states, this service isn’t free, but honestly, at roughly 25 dollars plus tax per computer per year, it’s not exactly expensive, and definitely cheaper than Microsoft’s own Windows 10 Extended Security Update program it’s going to offer for Windows 10 after the end of support date next year. Diving a bit deeper into who is providing this service, it comes from a company called ACROS Security, a small company out of Slovenia. The company details its micropatches on its 0patch blog if you want more information on how each individual ones works.
I still don’t know exactly what to make of this, and I definitely wouldn’t rely on something like this for mission-critical Windows computers or servers, but for something like a home PC that can’t be upgraded to Windows 11 but still works just fine, or perhaps some disposable virtual machines you’re using, this might be a good stopgap solution until you can upgrade to a better operating system, like Linux or one of the BSDs. Are there any people in the OSNews audience who’ve used 0patch, or perhaps a service similar to it?
So how legal are they? As they almost certainly have to be disassembling Windows code to do this. As for trust, I’d say no as I can easily see situations where only publicly known CVEs get patched as numerous non-reported 0-days accumulate.
The scope of this service to be exploited is incredible. The whole mechanism of “patching” is a textbook memory root kit.
I most certainly wouldn’t trust this in my corporate environment.
Yes,
Unless they also offer the source code to any patches they provide along with a team that can actually audit that source code on my end, I would do the same.
And, once again, it might be just cheaper to pay Microsoft with all that hassle.
Adurbe,
This logic seems biased to me. Why not apply this to all proprietary software!! But people always give Microsoft (and other giants) a pass when they have a long track record of vulnerabilities and exploits.
Also, I’d take 0patch’s vulnerability documentation over microsoft’s any day…
https://blog.0patch.com/2024/06/micropatches-for-microsoft-outlook.html
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-21378
There is a distinction between a patch to a software provided by the developer that changes how the application behaves, and intercepting memory and injecting content.
While we all hold bias, mine is derived from seeing the techniques they use to “patch” as a means of data theft, surveillance an simple execution of arbitrary code.
While Microsofts record hasn’t always been stellar, this technique utilised by 0patch is fraught with dangers.
Adurbe,
I don’t think that’s very fair. The techniques are effective and even promoted for hotpatching kernels like redhat. Frankly 0patch vulnerability resolution engineers may be more qualified than microsoft engineers writing OS code in the first place. If you read the examples I linked, 0patches solution is just as effective as microsoft’s solution.
It would be interesting to put their respective engineers to a competency test, not that we;ll get to see that. For better or worse I think microsoft will always be given an automatic pass whether or not they actually deserve it, and other smaller competitors will be criticized whether or not they actually deserve it.
The idea that machines that are stuck on Windows 10 will become e-waste is silly. Most users just shouldn’t be seriously concerned about Microsoft “ending official support” for Windows 10. It’s not like the machines will brick on that date. In fact they will continue to run just fine. If you’re not exposing any ports to the Internet, and your main way of interacting with the web is surfing using the latest version of a modern browser, then you can continue to use Windows 10. Browser vendors will likely continue to release compatible versions for many years, especially if the operating system continues to be popular.
Running an unpatched OS in 2024. What could go wrong?
What could go wrong? How exactly are malicious actors going to exploit your machine if it’s behind a WiFi router and just accessing Gmail and Facebook with an up to date browser?
https://www.pcgamer.com/hardware/a-windows-xp-machines-life-expectancy-in-2024-seems-to-be-about-10-minutes-before-even-just-an-idle-net-connection-renders-it-a-trojan-riddled-zombie-pc/
He could perhaps also announce it as a challenge on the darkweb or something.
FriendBesto,
While I agree with you that risks are often exaggerated when inbound ports are firewalled. However the fact that these operating systems will be denied updates does pose a non-zero risk considering that they’re still passing traffic to/from the internet and sometimes these are exploitable (consider fishing vulnerabilities and following links that trigger an exploit).
It’s conceivable that an 0day in the browser coupled with a known privilege escalation vulnerability in the OS could expose users to higher risk levels. Something like this has been demonstrated before: https://www.sentinelone.com/blog/privilege-escalation-cve-2020-17087-cve-2020-15999/
Still, as long as the browser is kept up to date, and the user practices dilligence in what websites they visit, they should be fine.
You’re asking how attackers could attack a machine that gets zero updates? Its kind of like asking how someone without a function immune system can get sick.
No, I’m not asking that. I’m asking specifically how would the malicious payload be executed on the machine? If the user will run a malicious .exe they downloaded from the internet, they have bigger problems than the OS being vulnerable to some privilege escalation CVE.
Running an unpatched OS behind a router firewall and with an up-to-date browser.
Yeah, please tell us, what could go wrong?
https://www.pcgamer.com/hardware/a-windows-xp-machines-life-expectancy-in-2024-seems-to-be-about-10-minutes-before-even-just-an-idle-net-connection-renders-it-a-trojan-riddled-zombie-pc/
They “set up a Windows XP instance and configured it to be fully exposed with no firewall and no anti-virus software, just like the good old days”.
You perhaps missed my remark: if you’re running from behind a Wi-Fi router, your machine doesn’t expose any open ports to the internet that can be exploited. Here’s an exchange from the comment system of the YouTube video demonstrating the experiment:
“I had no idea that just connecting machines with obsolete operating systems to the internet could get you malware.”
“It can’t. He’s specifically operating in a way that circumvents modern protections that are built into our routers.”
You can run the experiment yourself, get the “Windows XP Professional (32-bit) (VirtualBox)” image from the Wayback Machine, load it up in VirtualBox, and play with it. There are many configurations where it will be able to have internet connectivity and not get trojans in 10 minutes.
“at roughly 25 dollars plus tax per computer per year, it’s not exactly expensive”
is that supposed to be a joke? that kind of pricing per machine becomes insane at scale.
Still a whole lot cheaper than upgrading all those machines or in the server use case, porting whatever proprietary software stack to something else. Make no mistake, this is for customers who essentially don’t have a choice but to stick with Windows as opposed to upgrading or switching. And likely with a secondary market (as Thom suggests) of end consumers who just want to do retro computing, keep their old machines running and connected to the internet, etc. Compared to the price of any of the alternatives, for any of these use cases, this is a steal.
We live in different worlds. That’s not expensive in my world. That’s alarmingly cheap. As in, I suspect they are likely malware that profits more on the sale of the data and access to the machines because there is no way they could provide this service at that price.
I’m with you on that. The scale you’d need to make it viable would have to be massive.
And hiring devs with this kind of skillset is very very niche (in non-darkweb industries) so I can’t see them being cheap on the market.
https://www.pcgamer.com/hardware/a-windows-xp-machines-life-expectancy-in-2024-seems-to-be-about-10-minutes-before-even-just-an-idle-net-connection-renders-it-a-trojan-riddled-zombie-pc/
“configured it to be fully exposed with no firewall and no anti-virus software”
Given Microsoft’s direction in it’s present and future OS products, I’d say that I have no choice as I refuse to update to Windows 11. It appears to me that M$ is abandoning local workstaions in hopes of the cloud services and Ai. They effectively keep their code on their equipmwnt, rendering all workstations as effectively dumb terminals again. This rids them of the need for basically a licensing infrastructure, code, productivity, and IP, locally hosted and owned by the disparate corporation, and the OS as well, including Hardware. The EULA states it all through the legalese. If you’re a home user, you are definitely screwed as you dont have the lawyer power to change this compared to Microsoft.
There are some unfounded comments about how safe, or legal, 0patch is. I suggest one test it got a period of time. I gave it one year. It outperformed Microsoft patches, with no issues. Expressing a concern is fine. So, A-B test it.
No. Just as I don’t A/B test jumping out of a plane with or without a parachute. You look a the risk/reward *before* you do any tests. The risk is great, and what exactly is the reward? Not having to replace a PC or switch to a new operating system? Its really a question of how much you value the personal information and data stored on a PC. If its zero, don’t do anything, live with the risk. If its more than the cost of the $25 a year but less than the cost of switching operating systems or buying a new pc, go for it I guess. If its worth more than the cost of a new PC, you just buy a new PC.
Bill Shooter of Bul,
A/B testing is valid and useful, but the analogy as you’ve put it is flawed though. A better comparison would be A/B testing one parachute design versus a competing one.