News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon Home icon Email icon RSS icon

We're community supported and proud of it!

  • Worried about the ADV200001 JScript bug? 0patch to the rescue

    Posted on January 23rd, 2020 at 06:04 Comment on the AskWoody Lounge

    As far as I can tell, it’s only a problem for a very select group of unfortunate targets, but if you’re concerned about the recently-announced JScript bug (see Yet another JScript vulnerability) documented in MS Advisory ADV200001, CVE-2020-0674, there’s a patch from 0patch that should be of interest.

    In case you’re new to 0patch, the approach is tricky but straightforward: Mitja Kolsek’s team comes up with tiny tweaks to Windows itself that fix bugs. When Microsoft finally releases a patch, the 0patch change will get overwritten by the new Windows code.

    Per Kolsek:

    Last Friday, Microsoft published an advisory about a remotely exploitable memory corruption vulnerability (CVE-2020-0674) that was reported to them by Qihoo 360 as being exploited in the wild. These attacks were reportedly limited so Microsoft decided not to rush with issuing a patch but will rather provide one as part of February’s Patch Tuesday. They did, however, provide a workaround.

    Because the provided workaround has multiple negative side effects, and because it is likely that Windows 7 and Windows Server 2008 R2 users without Extended Security Updates will not get the patch at all (their support ended this month), we decided to provide a micropatch that simulates the workaround without its negative side effects.

    What does Microsoft say about issuing a fix for Win7? Nothing. Per the Advisory:

    Is there an update to address this vulnerability?

    No, Microsoft is aware of this vulnerability and working on a fix. Our standard policy is to release security updates on Update Tuesday, the second Tuesday of each month. This predictable schedule allows for partner quality assurance and IT planning, which helps maintain the Windows ecosystem as a reliable, secure choice for our customers.

    To get the micropatch, you have to download and install the 0patch enabling software.

    Martin Brinkmann has more details on