Third party security group patches a Windows vulnerability Microsoft couldn't, yet again

[Daniel Sims]

Facepalm: Since last summer, a potentially dangerous vulnerability affecting all currently-supported versions of Windows has eluded Microsoft's security team. So far, Redmond developers have failed to fix it twice. This week an outside group released its own patch for the second time.

Third-party platform 0patch has released its second fix for a local privilege escalation vulnerability after Microsoft's latest attempt at mitigation broke the group's first patch. The latest version works for the March 2022 editions of Windows 10 v21H1, v20H2, v1909, and Windows Server 2019. Downloading it requires a free account at 0patch's website.

A Bug That Doesn't Want To Die (CVE-2021-34484) - Twice Bypassed and Twice Micropatched, Will Third Time be a Charm? https://t.co/BqzFrC9P3E pic.twitter.com/VooVZILHSk

— 0patch (@0patch) March 21, 2022

The whole debacle started last August when security researcher Abdelhamid Naceri discovered a vulnerability (CVE-2021-34484) that gives attackers administrator-level privileges. It affects Windows 11, Windows 10, and Windows Server. Microsoft attempted to fix the exploit as part of August 2021 Patch Tuesday, but Naceri soon developed a proof of concept that circumvented Microsoft's fix.

In November, 0patch stepped in with its first unofficial fix, which proved effective. However, Microsoft released a second official patch as part of January 2022 Patch Tuesday. Not only did Naceri find a way around this one, but applying it also undid 0patch's working solution.

Developers at 0patch have now ported a new fix to versions of Windows with Microsoft's latest updates. The group says its first patch still protects Windows versions that no longer receive official support—like Windows 10 v1803, v1809, and v2004.

Permalink to story.

https://www.techspot.com/news/93886-third-party-security-group-patches-windows-vulnerability-microsoft.html

 

[Dimitriid]

Hey on the upside: This tracks very well with the other story about Microsoft intentionally rejecting perfectly good rigs just because they're Ryzen 1000 or Intel 7th gen or older even though they're still able to use TPM 2.0 via the headers: maybe in 10 years we should all be moving to third party patching if for some reason we can't still feasibly just move to Linux.

 

[psycros]

Hey on the upside: This tracks very well with the other story about Microsoft intentionally rejecting perfectly good rigs just because they're Ryzen 1000 or Intel 7th gen or older even though they're still able to use TPM 2.0 via the headers: maybe in 10 years we should all be moving to third party patching if for some reason we can't still feasibly just move to Linux.

Linux is its own worst enemy, sadly. I'd love to ditch Windows but there are a handful of programs I couldn't replace, plus the Linux desktops are still buggier than Windows. Its made great strides in the past 10 years but they've still got a ways to go. Standardization is the most important step - they need to have a single display and desktop manager that's configurable enough to suit anybody's needs. It should be possible in theory.

 

[Uncle Al]

While I agree Linux has some bugs and can be improved I can say they are going in the right direction which Windows can't and haven't been able to claim for a long time. The main benefit is Linux can be tweaked and worked on and for those that can't live without windows apps there are a few newer generation programs that manipulate WINE to the point it is very functional. There are a number of excellent tutorial's on Youtube helping you get started up to being accomplished. The main reason I went to it .... it's a lot like the old days of apple basic and gives the user control .... and I've found it is a lot tougher for hackers out there to get through.

 

[SG736F6]

Linux is its own worst enemy, sadly. I'd love to ditch Windows but there are a handful of programs I couldn't replace, plus the Linux desktops are still buggier than Windows. Its made great strides in the past 10 years but they've still got a ways to go. Standardization is the most important step - they need to have a single display and desktop manager that's configurable enough to suit anybody's needs. It should be possible in theory.

Have you tried Pop!_OS?

 

[VEGGIM]

While I agree Linux has some bugs and can be improved I can say they are going in the right direction which Windows can't and haven't been able to claim for a long time. The main benefit is Linux can be tweaked and worked on and for those that can't live without windows apps there are a few newer generation programs that manipulate WINE to the point it is very functional. There are a number of excellent tutorial's on Youtube helping you get started up to being accomplished. The main reason I went to it .... it's a lot like the old days of apple basic and gives the user control .... and I've found it is a lot tougher for hackers out there to get through.

Its more of less that and more hardware. Espeically the laptop space. The majority of laptops have hardware in them or things that linux does not seem to do. For example things like brightness or speakers. Even some things like brightness control.

 

[ypsylon]

While I agree Linux has some bugs and can be improved I can say they are going in the right direction which Windows can't and haven't been able to claim for a long time. The main benefit is Linux can be tweaked and worked on and for those that can't live without windows apps there are a few newer generation programs that manipulate WINE to the point it is very functional. There are a number of excellent tutorial's on Youtube helping you get started up to being accomplished. The main reason I went to it .... it's a lot like the old days of apple basic and gives the user control .... and I've found it is a lot tougher for hackers out there to get through.

Yes, that's Linux biggest strength and weakness at same time.

Strength is that it's very configurable. You can find potentially fix for any problem you have.

Weakness is that it has 0 standardization between versions and you can't just simply switch to distro-whatever, load WINE and work with Windows software as nothing happened. For gaming rig that's not an issue. You can iron out bugs, plus projects like Lutris make it very smooth most of the time. For work machine that's insta no-go area. If you want to pay bills with your work, Linux has to offer perfect, 101% compatibility via WINE layer (often on day one after upgrade) for any piece of software which has no dedicated Linux version, which in turn sadly is most of it. Plus driver and new hardware support is always (often seriously) behind the curve vs Windows. Take for example DAZ Studio, which recently was upgraded to 4.20 with volumetric module support. I know there are folks with passion which run DAZ on Linux (big brains), but for now they can't use 4.20 because libraries on Linux are not available and are forced to 4.16, while nVidia drivers in required version were out in the wild on Windows long before DAZ 4.20 left beta stage. That's basically Linux+WINE for work in a nutshell.

 

[Fearghast]

Have you tried Pop!_OS?

That's one of the problems
Windows users Google Linux and they find out that there are over 100+ active distros and they have no clue what to chose for their usage.

 

[texasrattler]

Linux, whether good or not dont really matter as the mainstream users have no clue on how to use Linux. Also they will never take the time to learn it. Its needs to be very simple, its not. Until thats sorted out n with one version, not 100 distros, it will never be a option for many to choose. This has been said countless times for over a decade. Nothing has changed. Or another way to put it, linux hasnt changed for mainstream users to care or even notice.
MS will be the dominant OS for a long while to come. Those are the facts n ppl just going to have to live with it.

 

[Geralt]

Linux, whether good or not dont really matter as the mainstream users have no clue on how to use Linux. Also they will never take the time to learn it. Its needs to be very simple, its not. Until thats sorted out n with one version, not 100 distros, it will never be a option for many to choose. This has been said countless times for over a decade. Nothing has changed. Or another way to put it, linux hasnt changed for mainstream users to care or even notice.
MS will be the dominant OS for a long while to come. Those are the facts n ppl just going to have to live with it.

I fully agree. I have that problem with Ubuntu now: I don't have time to learn, and really I'd prefer to have a full GUI. I dislike the terminal. I don't want to return to the times of DOS. Millions of distros with funny names is just stupid. I need only one powerful distro with full GUI.

 

[Fearghast]

I fully agree. I have that problem with Ubuntu now: I don't have time to learn, and really I'd prefer to have a full GUI. I dislike the terminal. I don't want to return to the times of DOS. Millions of distros with funny names is just stupid. I need only one powerful distro with full GUI.

Sounds like you are describing crypto currencies as well :-D

 

[wiyosaya]

I fully agree. I have that problem with Ubuntu now: I don't have time to learn, and really I'd prefer to have a full GUI. I dislike the terminal. I don't want to return to the times of DOS. Millions of distros with funny names is just stupid. I need only one powerful distro with full GUI.

Linux is its own worst enemy, sadly. I'd love to ditch Windows but there are a handful of programs I couldn't replace, plus the Linux desktops are still buggier than Windows. Its made great strides in the past 10 years but they've still got a ways to go. Standardization is the most important step - they need to have a single display and desktop manager that's configurable enough to suit anybody's needs. It should be possible in theory.

Try openSuSE LEAP. https://get.opensuse.org/leap/

 

[waclark]

While I agree Linux has some bugs and can be improved I can say they are going in the right direction which Windows can't and haven't been able to claim for a long time. The main benefit is Linux can be tweaked and worked on and for those that can't live without windows apps there are a few newer generation programs that manipulate WINE to the point it is very functional. There are a number of excellent tutorial's on Youtube helping you get started up to being accomplished. The main reason I went to it .... it's a lot like the old days of apple basic and gives the user control .... and I've found it is a lot tougher for hackers out there to get through.

I think the issue is that you (and I) are looking at this through the prism of being technically inclined. I suspect that 90% (made up Internet stat) of people out there don't want to have to go to YouTube or a HowTo to set up their machines. They just want them to work.

I've built Linux systems, including my first home network router, and while it wasn't particularly difficult (for me), I don't think people want to get that deep into their OS. And I agree with the other comment above, getting a consistent and "standardized" user interface will be critical to home adoption. And of course, better gaming support.

 

[mrSister]

I fully agree. I have that problem with Ubuntu now: I don't have time to learn, and really I'd prefer to have a full GUI. I dislike the terminal. I don't want to return to the times of DOS. Millions of distros with funny names is just stupid. I need only one powerful distro with full GUI.

So what exactly is stoping you from using that one distro and installing all the gui tools you like? Is not like you have to install 200 diferent ditros.

In fact there are only 5 or 6 distros worth considering and the rest are just derivatives that add nothing: debian, arch, ubuntu, redhat/fedora and opensuse.

In the end, once you have used one distro, you can use all of the them.

 

[jmr00]

Nit on the article: Microsoft's CVE page seems to indicate this affects Windows all the way back to Windows 7 SP1 and Windows Server 2008 R2. The text "Windows 10, Windows 11, and Windows Server" is misleading.

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34484

 

[wiyosaya]

I've built Linux systems, including my first home network router, and while it wasn't particularly difficult (for me), I don't think people want to get that deep into their OS. And I agree with the other comment above, getting a consistent and "standardized" user interface will be critical to home adoption. And of course, better gaming support.

I did basically the same thing (home network router) and gradually added Samba server, NTP server, DHCP server, and caching DNS server. But, I'm a programmer in the working world.

In fact there are only 5 or 6 distros worth considering and the rest are just derivatives that add nothing: debian, arch, ubuntu, redhat/fedora and opensuse.

Obviously, openSuSE gets my vote, but I have not explored its gaming capabilities if any.

IMO, the openSuSE folks have done an excellent job over the years of making upgrades (between versions that is) a trivial task to install.

For people like @Geralt it does have a choice of two fully GUIs KDE and GNOME. And like Windohs, it retains the ability to open a terminal (command window) and run command-line stuff - which is not all that different from what Windohs allows.

In the end, once you have used one distro, you can use all of the them.

Though my experience is limited mostly to openSuSE (I did start with RedHat then to openSuSE and never went back) all linux distros, whether with a gui or not, are essentially unix like environments where all command-line functions are basically the same from flavor to flavor. The online forums for openSuSE often have people who are exceptionally helpful, too, even if the tasks are relatively complicated. It has typically been a peeve of mine that the Linux community typically is difficult to interact with - even for the technically inclined, but the openSuSE forums seem to be, mostly, an exception to that rule. There are some d!cks there, but there are some very helpful people there, too.

Plus, from an experience a few years back, I found it was possible at that time to just image my existing openSuSE drive and restore that image to a hard drive in a completely new build, and it just worked - which is something that is not possible with Windohs .

 

[Ben Myers]

The vast number of Linux distros make it a modern Tower of Babel. As numerous psychological studies have shown, having more choices is worse than having a limited number. As it is today in the Windows world, we have two choices, Win 10 and Win 11, so the choice is pretty easy, and maybe mandated by the hardware one has. With at least a hundred distros on distrowatch.com, how easy is it for someone to pick the right Linux distro to suit her needs? Setting aside the specialty distros which are liked by many of us, the choice of distros and distros with 5 or 6 spins is bewildering.

 

[waclark]

The vast number of Linux distros make it a modern Tower of Babel. As numerous psychological studies have shown, having more choices is worse than having a limited number. As it is today in the Windows world, we have two choices, Win 10 and Win 11, so the choice is pretty easy, and maybe mandated by the hardware one has. With at least a hundred distros on distrowatch.com, how easy is it for someone to pick the right Linux distro to suit her needs? Setting aside the specialty distros which are liked by many of us, the choice of distros and distros with 5 or 6 spins is bewildering.

I agree. It's confusing. The short answer for a novice or someone unfamiliar with Linux should stick to one of the major suppliers, like Red Hat or Suse. I think between those 2 you'll cover 90% of the bases. And they have a pretty good support base.

 

[Ben Myers]

I agree. It's confusing. The short answer for a novice or someone unfamiliar with Linux should stick to one of the major suppliers, like Red Hat or Suse. I think between those 2 you'll cover 90% of the bases. And they have a pretty good support base.

I'll throw Mint and Ubuntu into the mix. A bootable Mint Cinnamon ISO is a pretty good diagnostic tool and trivial to use. Four should be enough for someone to make an informed choice, and four is not quite too many.

 

[texasrattler]

Again, tho this about Linux being mainstream not about 1 user. 1 user can do/choose whatever they like. Mainstream users want ONE and only one option. Multiple options confuses them. Even in Windows world giving ppl more than one option can not only confuse but also scare them.
So if Linux wants to EVER be mainstream, there can only ever be ONE. ONE destro that rules them all. Until that ever happens, highly unlikely, Linux will NEVER be a option for most people.

 

[waclark]

I

Again, tho this about Linux being mainstream not about 1 user. 1 user can do/choose whatever they like. Mainstream users want ONE and only one option. Multiple options confuses them. Even in Windows world giving ppl more than one option can not only confuse but also scare them.
So if Linux wants to EVER be mainstream, there can only ever be ONE. ONE destro that rules them all. Until that ever happens, highly unlikely, Linux will NEVER be a option for most people.

I think the reason there isn't one "de facto" standard is because there isn't a demand for one. Which is why the masses haven't flocked to Linux et al. Right now, people using Windows and MacOS machines don't see a need to change. The devices work and if there is a problem, they know people they can call to help. Linux, no so much.

Even if there were one bistro, I'm not sure people would flock to it. It would have to be very compelling at this point. I see a lot of computing going cloud/web and less and less will be installed locally. So at that point, you just need a good browser and who cares what it runs on? Linux may win that battle, just by being more lightweight than Windows.