
0patching a 0-day: Windows gdi32.dll memory disclosure - dielel
https://0patch.blogspot.com/2017/02/0patching-0-day-windows-gdi32dll-memory.html
======
moontear
An interesting effort - but the idea of a bug bounty program for 0patching
won't work, at least not paid by the companies affected.

Patching 0-day issues usually is _not_ hard in itself. Usually it is just
little errors like missing checks for buffer overflows, or some input not
sanitized. What __is __hard is making sure that everything still works after
the patch. And "everything" is quite a lot in the case of this issue
(gdi32.dll). You have to make sure that all still supported software depending
on gdi32.dll is still working as it should, that includes multiple Windows
versions, multiple Office versions, multiple Internet Explorer versions,
multiple ... you get the idea. Microsoft has a lot of products.

Not saying that I don't admire this, but I don't know if any company would be
willing to install "some patch" by "someone" with no guarantee that it won't
break other things or open other holes. I would always want to install an
official patch by an official vendor because I have support and warranty.

If we're talking about some legacy software with no support and no vendor
taking care of updates - this is something I could get behind and I think is
useful.

~~~
sst8
What about getting vendors into changing their patching habbits? Instead of
packing some hundred mega patches just provide micro ones when needed? As you
said 0day issues are usually (not allways) easy to fix. Probably you alone are
skilled enough to check this couple of code instructions by yourself - which
is not the case with full-blown patch Tuesday packages. I am pretty sure that
process could be much cheaper for MS.

~~~
com2kid
> What about getting vendors into changing their patching habbits? Instead of
> packing some hundred mega patches just provide micro ones when needed?

This was how things worked previously in the industry. There are a number of
disadvantages to companies releasing multiple small patches throughout the
month:

1\. Users may have to reboot their computers multiple times a week.

2\. Large corporations (with their own back-compat worries) do their own
extensive validation of patches. Multiple small patches puts a large seriously
burden on IT departments.

The industry has moved towards larger update bundles for good reason.

~~~
sst8
Well, with micropatching you don't need to reboot and you only have to review
minimum code changes - and if the patch is not working for you you can unpatch
it (with proper permissions, ofcourse).

~~~
j_s
Pretty sure this specific example would require a reboot, changing a Windows
kernel DLL. There seems to be some confusion over whether or not the 0patch
tool can update the kernel without a reboot, though.
[https://news.ycombinator.com/item?id=13775550](https://news.ycombinator.com/item?id=13775550)

Patching a user mode app/dll would not require a reboot, just a restart of the
app.

~~~
dielel
Hi, Stanka from 0patch here. If you want to enable or disable (aka "patch" or
"unpatch" the application) you don't need do restart the application. Not even
if your app is running and you've just install 0patch agent. This is how it is
designed to work in user space. When the official MS patch is installed
(hopefully with the fix) this particular 0patch won't apply anymore.

As we try to make 0patch agent robust and reliable we don't support kernel
mode at this moment - we will make this step slow and with great caution.

~~~
j_s
Can you please clarify whether or not this specific patch is user mode or
kernel mode? @johntb86 mentioned GDI is split and this is the user mode part.

~~~
dielel
Our micropatch (7 of them, really, for 4 different Windows OS versions) for
CVE-2017-0038 is user-mode. As are currently all our micropatches. Processes
using gdi32.dll do not need to be relaunched to have it applied.

------
pcwalton
WMF/EMF has had an infamous history of security problems—most famously, RCE in
2005:
[https://en.wikipedia.org/wiki/Windows_Metafile_vulnerability](https://en.wikipedia.org/wiki/Windows_Metafile_vulnerability)

~~~
koyote
It is truly an awful format.

Surprisingly it is still the only supported vector format in Office...

~~~
fenwick67
Hmmm, apparently 2016 and 365 support SVG finally?

[https://support.office.com/en-us/article/Insert-SVG-
images-i...](https://support.office.com/en-us/article/Insert-SVG-images-in-
Microsoft-Office-69f29d39-194a-4072-8c35-dbe5e7ea528c)

Only 17 years after the spec was established.

~~~
eon1
..? I made a bunch of EPS for a coworker's Excel dashboard a while back,
worked fine on 2013 and 2007.

------
sst8
Live patching is gaining the momentum - see Ksplice, Kpatch, kGraft, XEN and
similar

~~~
guipsp
This is not live patching.

~~~
j_s
A 0patch employee stopped by to explain that they live patch user mode only at
this point on Windows, kernel mode is a future goal.

[https://news.ycombinator.com/item?id=13782830](https://news.ycombinator.com/item?id=13782830)

------
johnsmith21006
Why does Microsoft not find and instead Google? MS is not a startup and it is
their code. Seems weird that Google has to fine their issues.

What does this say about using Google software versus software from Microsoft?
Or am I missing something obvious?

~~~
TeMPOraL
Google seems to have embarked on a mission to find vulnerabilities in
everything that touches the Internet. Good for them (free marketing), good for
us.

Forming an opinion about Microsoft vs. Google software quality would require
knowing how many similar problems Microsoft found and subsequently patched in
their software. Without that data, we can't tell whether Microsoft isn't
putting effort into finding vulnerabilities in its software, or whether Google
simply got lucky and found something Microsoft missed.

~~~
digi_owl
> Google seems to have embarked on a mission to find vulnerabilities in
> everything that touches the Internet. Good for them (free marketing), good
> for us.

And perhaps scaremongerings us to embrace the cloud, and thus ChromeOS...

