0patch

Discussion in 'other security issues & news' started by Rafales, Jun 7, 2016.

  1. Rafales

    Rafales Registered Member

    Joined:
    Feb 20, 2013
    Posts:
    55
    Location:
    Earth
  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    6,763
    What is a benefit of 0patch over regularly patching an application? Does it provide a patch before vendor releases it?
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,177
    Location:
    The Netherlands
    I'm not sure what to think of it. So it's able to actively protect against exploits? But why on earth would I let a third party patch my apps, or is it comparable with anti-exploit tools?

    From what I've read it does have this ability.
     
  4. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    832
    Location:
    UK
    The idea is community supplied patches can be used before vendor released patches are made available.
    It also doesnt require any installers, it patches direct into memory.

    A bit like using a web application firewall to patch vulnerabilities not patched directly on the vendor software.
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,522
    Location:
    U.S.A.
    The last thing in the world I would want is some obscure software for some unknown outfit alerting the memory of my processes. Thanks but no thanks ................
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,177
    Location:
    The Netherlands
    I feel the same, I rather rely on anti-exe and anti-exploit, who can also protect against zero days.
     
  7. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    832
    Location:
    UK
    I agree to an extent, but every outfit is unknown when they start.
     
  8. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,876
    Initially it sounded like neat idea. In the past other people have provided good patches before eg MS could or would. Just a couple of examples are. The .LNK vulnerability & the image Metafile vulnerability. So out of curiosity i thought i might install it & see what it made of my non patched/updated XP/SP2 OS.

    As usual i'm using ShadowDefender & amongst other things ProcessGuard.

    On first launching, before installing, i viewed the Licence Agreement. After reading it i would normally not have considered coming out of SD mode to actually install it properly, as it's Extremely invasive etc etc !

    So i stayed in SD mode & continued.

    ProcessGuard instantly interupted & alerted me to the following.

    Tried to install a driver/service named 0patchDriver, which i kinda expected, so allowed it.

    0patch\agent\0patchservice.exe was blocked from modifying ALL of my running .EXE's including ALL the running OS .EXE's !

    I disabled PG to allow All that, but then got an error message saying it couldn't write to its own log ? When i looked in Program Files/0patch/Logs there were 3 Log files, 1 was 0kb the other 2 around 4kb. I tried to open all 3 but got a Permission Denied error ?

    By now i had seen enough & stopped trying.

    Maybe others might like to see what happens on their comps, & report back.
     
  9. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,583
    Location:
    Poland - Cracow
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,177
    Location:
    The Netherlands
    Doesn't sound too good, why does it need to inject code into all running processes?
     
  11. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,876
    @ Rasheed187

    I don't know, but it's Too invasive for me, & the EULA lets them own you !
     
  12. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,289
    Clone I wonder how processguard would work on windows 10. I still have two lic and the last download.
    does it require a reboot to install?
     
  13. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,876
    @ boredog

    Dunno if it would work on windows 10 ? You could try it in Compatability Mode for XP for eg & see. Hope it works for you :thumbd: I wouldn't want to be without it :)

    Yes it requires a reboot to install, & i checked in the Help File for you. Whilst i had it open, i realised i had never read All the way through it, in All this time ! Well i discovered that i can add in even further protections than i have already with the "Secure Message Handling" feature, for starters !

    Live n learn, so Thanx for asking ;)
     
  14. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,289
    Hello Clone

    I need to go dig through my old disks to find it. I hope I didn't through it away thinking I would never use any of those old programs.
    If I can find it I will give it a shot. it might even still me in an old yahoo e-mail.
     
  15. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,876
    Let us know how it goes. If you can't find it i can send it to you if you can't locate it online somewhere. I expect your licence is safe in another place ?
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,177
    Location:
    The Netherlands
    No it won't work since Win 7/8/10 use a different security architecture compared to Win XP.
     
  17. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    6,763
    https://www.helpnetsecurity.com/2017/03/13/reinventing-software-patching/
     
  18. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,714
    Location:
    Slovakia
  19. Gapliin

    Gapliin Registered Member

    Joined:
    Feb 12, 2012
    Posts:
    69
    This is quite some interesting approach imo.
    You need to actually understand their goal: They want to bridge the gap between a vendor releasing a patch for some vulnerability and this patch actually getting installed at the client. If you work at a corporate environment you know that patches usually lag behind some months.
    So at least for still supported software this is not really so much about patching zero days (for major vendors these don't happen so often - still this IE/Edge RCE for example was lying in the wild for almost three weeks until MS patched it: https://bugs.chromium.org/p/project-zero/issues/detail?id=1011). Of course it could come in handy for end-of-life products.

    The patching works in memory so the signatures of the actual files on disk still are valid. Also every patch always only works with a certain hash of the vulnerable file. So after you install the vendor patch the 0patch micropatch doesn't apply anymore. Also they aim to only patch the actual vulnerable code and not whole functions.
    Another plus is that the patching is transparent since you can check the micropatches for yourself with a simple texteditor.

    I think the problem with that approach is that they (ACROS Security) need to have an actual proof-of-concept available for released vendor patches. Sometimes you can get these within days through exploit-db, packetstorm, etc. but sometimes for more complex vulnerabilities it could take some time.
    Or in other words: They would need to invest time and effort to actually get to the root of the issue and find the vulnerable code. Depending on how complete their solution should be they would need to do that for every released security patch of every major software vendor. And if you count the amount of Windows-, Office-, IE-/Edge-, Firefox-, Chrome-, Adobe-, Java-, ... vulnerabilities every month... you can get the idea that this is quite some challenge. (They try to solve that with something they call "crowd-patching".)

    Even so: For every publically available proof-of-concept they could provide you with a simple micropatch very fast and without needs of rebooting the software (or even the host). And to be honest: Most times only exploits with publically available proof-of-concept code get into exploit kits.

    All in all: With some funding for more manpower and possible support by other vendors I could expect this approach to become at least another way to tackle the "bridging the security update gap" issue.

    Some more stuff if you want to research for yourself.

    Talks:
    Yes, Now YOU Can Patch That Vulnerability Too! - DeepSec 2015 (video, slides)
    Fixing the Fixing - RSA Conference 2017 (video, slides)

    Blog: https://0patch.blogspot.com/ (many blog posts lately explaining how to create micropatches for yourself)

    How to create your own patches:
    https://0patch.blogspot.com/2017/02/one-step-closer-to-crowdpatching-and.html
    0patch Agent for Developers:
    https://dist.0patch.com/download/latestagentdev
    https://0patch.com/files/0patch_Patch_Developer_Manual.pdf