Windows 10 Pro v1709 & 0patch

Topic

New Reply

I have a system with Windows 10 Pro v1709 that I rarely use but am also extremely reluctant to “update” to the latest version of Windows 10 for fear of Microsoft hosing it with their “quality” improvements.

Considering this will also exclude me from very real security updates from Microsoft, I was wondering if starting to use 0patch with this system would be a good idea. It would certainly provide me some extra security since 1709 has been EOL since April 9, 2019.

I have read the following FAQ regarding, “What data are agents sending to 0patch server, and why?” on the 0patch website:

Agents are sending telemetry data to the server for two purposes:

1. to allow computer owners and administrators to remotely monitor 0patch Agents on their
computers;

2. to allow us to help users troubleshoot problems and prioritize vulnerabilities for
micropatching based on their impact on our users.

This is the data that agents are periodically sending to the server (once every hour by default):

Computer name
Operating system version
IP address(es) of the computer running the agent
Current state of the agent (enabled/disabled)
List of disabled patches
List of applications excluded from patching
List of patches that have been applied to individual applications, along with how many times
they were applied and when they were last applied
List of “patchable modules” found on the computer (i.e., modules for which micropatches exist)

I have two questions from all this:

1. Do you think my strategy to keep using 1709 in it’s current state in conjunction with 0patch is a good idea? (Realizing, of course, I will not be fooling myself into any sort of false sense of security mindset by doing this.) I’m happy with how 1709 is working for me and I’m not a fan of Microsoft trying to force me off it just because it’s part of their WaaS business model.

2. Does anyone have any concerns with the amount of information that gets sent to 0patch when using their micropatches? I realize that level of detail has to be sent in order for the 0patch agent to work as intended, I just wonder what they’re doing with all that info they’re collecting.

Two more things:

I have 1709 locked down as much as I can to prevent Microsoft from gathering telemetry from this system.

If I ever was to upgrade it, I would move it back to Windows 8.1 instead.

Reply | Quote

Replies

It was my understanding that 0patch was for Win7 and Server 2008 R2.
I don’t believe they offer patching for Win10 (I could be wrong).

Reply | Quote

From 0patch’s FAQ webpage:

Does 0patch add value on still-supported Windows versions such as Windows 10 or Server 2019?

While many users are choosing 0patch to keep their out-of-support Windows 7 and Windows Server 2008 R2 systems secure, there is a lot to gain from 0patch on still-supported Windows systems:

Protection from critical 0days in Windows components. A good example is our micropatch for CVE-2020-0674, which implements Microsoft’s recommended workaround but without the negative side effects. This micropatch was made for all Windows 10 and supported Server versions so that users got a non-breaking protection while waiting for the official fix. (Note that such micropatches are issued for critical 0days, but large customers can also request one being made due to their specific situation and exposure.)

More examples: 0day in Jet Database Engine, 0day in Task Scheduler, another 0day in Task Scheduler, this 0day three-pack, 0day in Internet Explorer

Protection from critical 0days in other Windows products, for example these 0days in Equation Editor, 0day in Microsoft Word,

Protection from critical 0days in 3rd-party software products such as Adobe Reader, 7-Zip, Foxit Reader, WinRAR,… see https://0patch.com/patches.html and https://blog.0patch.com for more examples.

Protection for 3rd-party products that are out of support but you must use them for legacy reasons, e.g., old Java runtime versions.

Protection for 3rd-party products that you can’t afford to just restart in order to apply official update, such as this issue in VMware Workstation.

Protection for 3rd-party products where the vendor wants to charge you a large amount to have some vulnerability fixed (e.g., “Upgrade to the latest version of our product which has this issue fixed. It only costs $100k.”).

Temporary protection while you’re testing official vendor patches, or when the official update breaks some functionality and you have to uninstall it, re-opening critical vulnerabilities while the vendor is working on a new fix. In such cases, we can make a temporary micropatch to keep you protected during this period (e.g., https://blog.0patch.com/2018/05/a-single-instruction-micropatch-for.html).

0patch can save you from big troubles when a high risk 0day gets published that requires quick protection, and it gives you an option to request custom micropatches for your particular needs.

Reply | Quote

PKCano wrote:

It was my understanding that 0patch was for Win7 and Server 2008 R2.
I don’t believe they offer patching for Win10 (I could be wrong).

0Patch provide micropatches for Windows 7 and Windows Server 2008. They patch also Office and many 3rd party apps as well :

https://0patch.com/patches.html

Reply | Quote