Zero day still unpatched

Topic

New Reply

The month of December around Microsoft typically means that not only do we not get any “C” or “D” week updates, but many in Redmond go on vacation. As
[See the full post at: Zero day still unpatched]

Susan Bradley Patch Lady

3 users thanked author for this post.

abbodi86, lmacri, Alex5723

Reply | Quote

Replies

I think Google (Alphabet) is also on vacation this week. My Samsung smartphone hasn’t received any app updates from the app store going on seven days now. I guess all the tech giants take the week before Christmas off.

 

Reply | Quote

My Samsung smartphone has received 27 app updates from the Google Play Store over the last week.

Windows 11 Pro version 22H2 build 22621.1778 + Microsoft 365 + Edge

Reply | Quote

According to the 0patch Blog entry Micropatching “ms-officecmd” Remote Code Execution (No CVE) mentioned in Susan’s Zero Day Still Unpatched:

“Having a fix delivered though an alternative mechanism instead of Windows Update is not unprecedented in Windows, but can depend on assumptions that may not always be true. In this case, the fix was delivered through Windows Store – but only if the AppX Deployment Service was running. This service (AppXSVC) is enabled on Windows 10 by default and gets started when needed…The situation is therefore such that a remote code execution vulnerability with no CVE ID assigned and official fix issued may have remained unfixed on an unknown number of computers worldwide.

Is this the same Windows AppX Installer vulnerability described in Tips for the Week – What About the AppX Vulnerability? I checked my AppX Deployment Service [AppXSVC – StartType = Manual (Trigger Start)] today and it’s currently running on my computer and Settings | Apps | Apps & Features | App Installer | Advanced Options shows that my App Installer was updated to v1.16.13405.0 on 14-Dec-2021 (via the Microsoft Store) that patches this Windows AppX Installer vulnerability.

After reading that 0patch blog I was left with the impression that I’m fully patched because I received the App Installer update via the Microsoft Store.  Unfortunately, I searched C:Windows, C:Program Files and C:Program Data folders and can’t find the AppBridge.dll file mentioned in the 0patch blog, so I’m not sure if that .DLL file was updated on 14-Dec-2021 on my computer at the same time that the Windows AppX Installer v1.16.13405.0 update was delivered via the Microsoft Store .
———–
Dell Inspiron 5584 * 64-bit Win 10 Pro v21H1 build 19043.1415 * Firefox v95.0.2 * Microsoft Defender v4.18.2111.5-1.1.18800.4 * Malwarebytes Premium v4.5.0.152-1.0.1538 * MS Office Home and Business 2019 C2R (Version 2111, Build 14701.20262)

Reply | Quote

I searched C:Windows, C:Program Files and C:Program Data folders and can’t find the AppBridge.dll file mentioned in the 0patch blog

Try pasting the path below into your File Explorer address bar:

C:\\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2110.13110.0_x64__8wekyb3d8bbwe

If that doesn’t work paste C:\\Program Files\WindowsApps and then open the Microsoft.MicrosoftOfficeHub_[your version]_x64_8wekyb3d8bbwe folder. The AppBridge.dll will be there.

1 user thanked author for this post.

lmacri

Reply | Quote

The path was truncated in my prior post. The folder to look for in

C:\\Program Files\WindowsApps is

Microsoft.MicrosoftOfficeHub_18.2110.13110.0_x64_8wekyb3d8bbwe

Reply | Quote

Thanks to the anonymous poster for pointing me to the correct folder that was mentioned at the bottom of the 0patch blog Micropatching “ms-officecmd” Remote Code Execution (No CVE).  TreeSize Free (run as an Administrator with View | Hidden Items enabled in File Explorer) shows my AppBridge.dll file in C:Program FilesWindowsAppsMicrosoft.MicrosoftOfficeHub_18.2110.13110.0_x64__8wekyb3d8bbwe has no version number (as noted in the 0pacth blog) but was updated 11-Dec-2021 so I’m guessing I have a patched version.

Settings | Apps | Apps & Features shows my current Office v18.2110.13110.0 app (as well Skype v15.79.95.0, which I’ve never used; note that I don’t have Microsoft Teams installed on my computer) was updated via the Microsoft Store on 11-Dec-2021 so I assume that Office app update was responsible for the AppBridge.dll file update. It also appears that Alex5723’s comment in post # 2408198 was correct and that the App Installer v1.16.13405.0 update on 14-Dec-2021 by the Microsoft Store to patch the Windows AppX Installer vulnerability described in Susan’s Tips for the Week – What About the AppX Vulnerability? had nothing to do with this zero day described in Susan’s Zero Day Still Unpatched.

That being said, the 0patch blog Micropatching “ms-officecmd” Remote Code Execution (No CVE) also states …

” … Our patch was written for 32-bit and 64-bit AppBridge.dll that was delivered to Windows machines through Windows Store in October 2020. This is the last vulnerable version, and was subsequently replaced with a fixed version in June 2021. Our patch will therefore only get applied if you had Windows Store enabled in October 2020, and disabled it some time before June 2021. We expect some users may have older, or much older, versions of AppBridge.dll installed due to having disabled Windows Store earlier….”

… so I’m not sure I was ever vulnerable to this “ms-officecmd” zero day exploit in the first place. The fixed version of AppBridge.dll has not been delivered via Windows Update – or at least not yet – so it sounds like users with Win 8.x / Win 10 OS who disabled Microsoft Store updates after October 2020 (and perhaps users with an older, unsupported OS like Win 7 SP1) are the only ones who have to worry about having a vulnerable version of AppBridge.dll that is dated on or before October 2020. This would also assume they have a Windows applications such as Office, Teams or Skype that can use the “ms-officecmd” URL handler to launch these applications by opening a URL provided in a hyperlink or visiting a web page.
———–
Dell Inspiron 5584 * 64-bit Win 10 Pro v21H1 build 19043.1415 * Firefox v95.0.2 * Microsoft Defender v4.18.2111.5-1.1.18800.4 * Malwarebytes Premium v4.5.0.152-1.0.1538 * MS Office Home and Business 2019 C2R (Version 2111, Build 14701.20262) * TreeSize Free Portable 4.5.3.601

Reply | Quote

I have updated App Installer manually (Updates From Microsoft Store blocked).
AppBridge.dll hasn’t been updated.
I think that 0Patch has a new updated version of AppBridge.dll.

1 user thanked author for this post.

lmacri

Reply | Quote

What is the date of your AppBridge.dll file?

Reply | Quote

? says:

my verizon\moto\droid9 smartish phone usually updates something google every day (2gb monthly) has been blessedly silent for patches for over 6 days now…

Reply | Quote

Exactly what I was saying above: my Samsung Galaxy S20 5G has not received an app update in six days, but received a bunch in the two days prior to this “quiet period.”

 

Reply | Quote

Just checked my brother’s Windows 7. 0Patch pro has installed AppBridge.dll.

Reply | Quote

anonymous wrote:

What is the date of your AppBridge.dll file?

Its on the .png attached file 07-DEC-2019.
Version : 18.1903.1152.0

Reply | Quote

My understanding from the date is that your AppBridge.dll file has not been updated. I have this same situation on a PC without Microsoft Teams installed. Based on the blog details, I’m assuming that is why I have an unpatched file. Do you have Teams installed?

On another PC with Teams, the AppBridge.dll file was updated and has a file date this month (can’t recall the specific date).

As the blog post notes, there is no file version information for AppBridge.dll. Therefore, it is somewhat difficult to have confidence in the patch based solely on a file date. In addition, I find it hard to believe that MS wouldn’t just provide the update universally regardless of the present need.

Reply | Quote

anonymous wrote:

Do you have Teams installed?

No.

Reply | Quote

Sorry about being a bit thick, but is it time to Resume updates again and collect any from December’s “B” week? I’m paused until January 14, my last quality update was December 4, and 21H2 was installed on December 10. Defender definitions arrived today as usual, December 27.

Or am I just a week early before Resume time?

Reply | Quote

Hi Wayne:

The AskWoody MS-DEFCON widget at the top of every page on this AskWoody.com site is still at MS-DEFCON 2 (“Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.” – see https://www.askwoody.com/ms-defcon-system/ for more information about the MS-DEFCON system) so you might want to wait a bit longer until Susan raises the MS-DEFCON level to 3 or 4.  The January 2022 Patch Tuesday (Week B) updates are scheduled for the second Tuesday of the month on 11-Jan-2022 so they aren’t due for another two weeks. If you aren’t comfortable waiting for the MS-DEFCON level to change see Susan Bradley’s December 2021 Patch Tuesday Arrives – Say Goodbye to 2004 where users who have already applied the December 2021 Patch Tuesday (Week B) updates are posting their feedback.

Just note that applying the December 2021 Patch Tuesday updates isn’t going to patch the “ms-officecmd” zero day exploit being discussed in this thread since the patch is currently being delivered via the Microsoft Store, and not via Windows Update.
—————
Dell Inspiron 5584 * 64-bit Win 10 Pro v21H1 build 19043.1415 * Firefox v95.0.2 * Microsoft Defender v4.18.2111.5-1.1.18800.4 * Malwarebytes Premium v4.5.0.152-1.0.1538 * MS Office Home and Business 2019 C2R (Version 2111, Build 14701.20262)

1 user thanked author for this post.

Wayne

Reply | Quote

Thanks.  Basically, I’m a week too early to start looking for the go-ahead notice. Like I said, a bit thick . . .

Reply | Quote