Technically classified as a privilege escalation flaw, the bug enables attackers to become administrators if they have physical access to a computer. Interestingly, Microsoft first fixed the bug in August 2021, before the researcher who discovered it found the fix was broken. Microsoft then patched it again in January 2022, but this second fix was also found to be ineffective.  “It’s, unfortunately, more common than it should be for any vendor to attempt to fix a vulnerability, only for people to find out that the fix isn’t as complete as it should be,” Will Dormann, Vulnerability Analyst at CERT/CC, told Lifewire in a Twitter DM.  

Third Time Lucky

The bug was discovered by security researcher Abdelhamid Naceri, who then dismissed Microsoft’s patches as ineffective. To back his claim, Naceri wrote what’s known as a proof-of-concept code to demonstrate the vulnerability can still be exploited. Mitja Kolsek, co-founder of the 0patch project that has released the unofficial fix for the bug, told Lifewire over email that the only saving grace is that the bug can’t be exploited remotely over the internet. This means attackers will need physical access to your machine or find a way to trick people into running their infectious code to take charge of their computer. Breaking down the bug technically, Kolsek said flaws of this nature are “tricky to fix,” and his team has found many such flaws in the past. “To be quite fair, if any of us tried to fix this flaw without the knowledge that we now have about similar flaws, we would probably also have fixed it incorrectly at least twice,” said Kolsek. Naceri sent a Twitter direct message to Lifewire to confirm that the fix issued by 0patch successfully solved the issue. According to reports, Microsoft has issued a statement acknowledging the 0patch and will take action as required to protect its customers.

Patch Management

Projects such as 0patch might seem counterintuitive since software providers like Microsoft regularly dish out updates to fix issues with their software.  Kolsek explains that a lot of time usually passes between identifying a vulnerability and delivering a fix. Known vulnerabilities that don’t have a fix are known as zero-days, and attackers usually turn a just-published vulnerability into an exploit much faster than large software vendors can respond. “When we come across such a vulnerability, we try to reproduce it in our lab and create a patch for it ourselves. Once a patch is done, we deliver it to all 0patch users through our server, and within 60 minutes, it is applied on all 0patch-protected systems,” explained Kolsek.  And just like the fix for the vulnerability identified by Naceri, 0patch doesn’t charge for its patches until there’s an official fix from Microsoft.  0patch also helps secure popular but unsupported versions of Windows, such as Windows 7. It even supports some earlier versions of Windows 10 that either don’t receive official patches from Microsoft, or the updates come at a steep price, keeping them out of reach of regular people who then continue to run unprotected systems. Kolsek stressed that on still-supported Windows editions, people should think of 0patch as an addition to the official patches rather than an alternative, adding that the 0patches work best on computers that have all the official patches installed.