News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Win 7 0patch micropatches: What are they, how they work, and are they any good?

    Posted on OscarCP Comment on the AskWoody Lounge

    Home Forums AskWoody support Windows Win 7 0patch micropatches: What are they, how they work, and are they any good?

    This topic contains 7 replies, has 6 voices, and was last updated by  woody 4 months, 3 weeks ago.

    • Author
      Posts
    • #1967269 Reply

      OscarCP
      AskWoody Plus

      Looking at the description of the various Forums, this one seems like the most appropriate one for this entry. If I am wrong, please moderators, move it to its appropriate place and let me know if you did that.

      Several days ago, in the thread started by Woody’s on “0patch’s micro-patching service for Windows 7”, of real interest to Win 7 users after this veteran system’s EOL, now less than three and a half months away, DrBonzo asked a question that has not been answered, so far, and I believe it is an important one, if one thinks seriously of taking a subscription of this 0patch support beyond MS’ support ends. I believe this question to be most relevant and deserving of an answer that is neither too technical,  jargon-loaded, nor too terse.

      This is the point made by DrBonzo that am now quoting here, in the hope of some responses with good explanations:

      “I consider myself to be a non-techie, but something just doesn’t seem to add up here.

      Either I’m inferring or 0patch is implying (or a combination of those two) that bugs, holes, vulnerabilities – whatever you want to call them – that are found in the Windows 7 operating system can be effectively patched with a “few lines” of code. If that’s true, why would Microsoft not also patch in this manner instead of the massive 400MB (roughly) Rollup and 80MB (roughly) Security Only patches? It would seem that the “few lines” patches would be far easier to test and fix if issues with said patches were found. I would think that MS would be all over this “few lines” patching method. Can someone enlighten me why they aren’t, and while you’re at it whether the “few lines” patching method is actually any good?”

      Windows 7 Professional, SP1, x64 Group B & macOS + Linux (Mint) => Win7 Group W + Mac&Lx

      2 users thanked author for this post.
    • #1967291 Reply

      joep517
      AskWoody MVP

      It is not necessarily that the testing is easier or harder. No one has really defined what “a few lines of code” means. If all you are doing is replacing code it is not too bad. But, managing small patches can be quite challenging when you have to add code.

      I’m sure Microsoft has found it much easier and more reliable to do a full replacement of all the involved elements.

      --Joe

      2 users thanked author for this post.
    • #1967469 Reply

      bbearren
      AskWoody MVP

      A “few lines of code” are 99.9999999999999% of the time a few lines of code in a file of very many more lines.  Patching those few lines means re-writing those lines in the source code, then re-compiling the source code into a Windows file.

      In order to issue a patch for those “few lines of code”, the edited and recompiled Windows file must be replaced, not just the “few lines of code”.  That’s what increases the size of the patch.  A “few lines of code” here and there would almost surely involve several Windows files here and there, each of which must be replaced in the update process.

      Hence the patch is larger than one might expect.

      Create a fresh drive image before making system changes/Windows updates, in case you need to start over!
      "When you're troubleshooting, start with the simple and proceed to the complex."—M.O. Johns
      "Experience is what you get when you're looking for something else."—Sir Thomas Robert Deware

      3 users thanked author for this post.
      • #1967681 Reply

        OscarCP
        AskWoody Plus

        bbearren #1967469  : Thanks for such a clear answer. To me this prompts now a follow-on question:

        The 0patch “micropatches” (I believe now that ironic quotation marks might be in order) have been presented earlier on as a continuation of Windows 7 patching beyond EOL next January, when MS will no longer be supporting with patches (except, perhaps, under some exceptionally rare, dire circumstances, as it has been doing with XP) the veteran system some of us want to keep using even so and for much longer. If there are no large files of patches to be micropatched, because there are no more MS patches, what will then the micropatches patch?

         

        Windows 7 Professional, SP1, x64 Group B & macOS + Linux (Mint) => Win7 Group W + Mac&Lx

    • #1967739 Reply

      anonymous

      Hi everyone,

      I’m Mitja Kolsek, co-founder of 0patch, and I’d like to clarify what a micropatch is and how it works.

      A micropatch is actually just a couple of CPU instructions that get inserted into the original code of an executable module (e.g., EXE or DLL) to correct a security flaw. This insertion only happens in memory of a running process, so the executable file is never modified.

      If you keep Windows 7 updated up to and including the January 2020 updates, our micropatches will be able to patch your Windows as they subsequently turn out to be vulnerable to newly discovered security issues. For example, in January 2021 you’ll still have the same Windows 7 binaries on your computer, but some of them will get micropatched every time they get loaded in a process. (Note: we only plan to micropatch high-risk issues as explained here: https://0patch.zendesk.com/hc/en-us/articles/360009439780.)

      I warmly welcome anyone looking for more information to our FAQ at https://0patch.zendesk.com/hc/en-us/categories/200441471-Frequently-Asked-Questions in case I’m not able to reply here in a timely manner.

      Thank you!

      Mitja Kolsek, 0patch co-founder

      6 users thanked author for this post.
      • #1967799 Reply

        OscarCP
        AskWoody Plus

        Thank you, Mitja Kolsek for yor explanation about your micropatches and the additional one in the “0patch” articles to which you have provided links.

        Among the various issues explained in the articles, the following are, to me at least, particularly interesting:

        We plan to provide these micropatches for at least one year (until, including, January 2021 Patch Tuesday) but depending on the demand (and the amount of Windows 7 and Windows Server 2008 computers protected with 0patch) we may extend that period.

        Apply all official Windows updates to your Windows 7 and Windows Server 2008 computers up to the latest ones, and also any subsequent updates that Microsoft may issue (like they have issued EternalBlue and BlueKeep updates for Windows XP and Windows Server 2003 after their support had ended).

        “… From time to time, a vulnerability may be found in Windows 7 or Windows Server 2008 that would require a significant redesign of some important functionality that you can’t afford to disable.
        Issues like these will accumulate in time and slowly chip away at your computer’s security without us being able to help. This is why you should consider our micropatches for Windows 7 and Windows Server 2008 as a temporary solution to buy you more time for migrating to a supported OS type and version.

        Allow your 0patch-protected computers to connect to 0patch server for periodic syncing in order for them to receive new micropatches and in order for you to remotely manage them (included in the Enterprise license).

        I also gather that the micropatches will be applied “in memory”, meaning only during the execution of those executable application and operating system’s files that may need them, to make their execution safe from new threats discovered “in the wild”. That is, apparently, it might seem, as long as these files are kept in a mass-storage drive, HD or SSD, and not in firmware, unlike the elements of the BIOS, EFI, UEFI. Although, as I understand it, while some of these run only on firmware, others can also run on the main mass-storage devices: if so, does this make any difference from the point of view of micropatching?

        Windows 7 Professional, SP1, x64 Group B & macOS + Linux (Mint) => Win7 Group W + Mac&Lx

        2 users thanked author for this post.
        • #1968922 Reply

          Mitja Kolsek
          AskWoody Plus

          0patch can currently only micropatch user-space Windows processes. Providing support for kernel micropatches is in the pipeline but you should know that the highest-risk vulnerabilities (those allowing for remote code execution) are mostly located in user-space code. 0patch can’t micropatch BIOS, EFI/UEFI, or any other component outside of Windows processes (and kernel at some point).

          Mitja

          5 users thanked author for this post.
          • #1968988 Reply

            woody
            Da Boss

            Thanks – and welcome to the AskWoody cabal….

            2 users thanked author for this post.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Win 7 0patch micropatches: What are they, how they work, and are they any good?

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.