New
#11
Went just now to the 0patch blog and found this:
My previous post where I saw a message from 0patchFREE saying it had fixed the IE 11 JS bug now seems to be accurate, according to 0patch's blog post.
"Last Friday, Microsoft published an advisory about a remotely exploitable memory corruption vulnerability (CVE-2020-0674) that was reported to them by Qihoo 360 as being exploited in the wild. These attacks were reportedly limited so Microsoft decided not to rush with issuing a patch but will rather provide one as part of February's Patch Tuesday. They did, however, provide a workaround.
Because the provided workaround has multiple negative side effects, and because it is likely that Windows 7 and Windows Server 2008 R2 users without Extended Security Updates will not get the patch at all (their support ended this month), we decided to provide a micropatch that simulates the workaround without its negative side effects.
The vulnerability is in jscript.dll, which is the scripting engine for legacy JScript code; note that all "non-legacy" JScript code (whatever that might be), and all JavaScript code gets executed by the newer scripting engine implemented in jscript9.dll.
Microsoft's workaround comprises setting permissions on jscript.dll such that nobody will be able to read it. This workaround has an expected negative side effect that if you're using a web application that employs legacy JScript (and can as such only be used with Internet Explorer), this application will no longer work in your browser."
I've implemented 0patch and my first impression is "awe-struck". Looks good. Thanks for your posts nord899 they inspired me!
maxseven,
Well, so far so good. My feeling is that 0patch needed to show their bona fides right away and the IE 11 flaw was a good way to start things off. I suspect that they want everyone to pay the monthly vig, just like MS, so I hope that they will continue to provide the rest of us on the free wagon bug fixes good enough to keep W7 safe. Here's hoping!
Re: free fixes I agree, OTOH $26 bucks per year is darn cheap huh.
Today I see that a 2nd patch has been applied: to goopdate.dll, "DropBox Updater".
Wonder nord899 if you have been seeing, as I have, that the taskbar icon is amber when I wake my PC, indicating no connection with server. Then I open it and click "Sync Now" and it works and all is OK.
Can't say I understand it completely, for example the Patch Activity segment says "2 patches were applied" and under that 15 TIMES and "5 applications were patched". Guess I should do some more exploring of the Agent.
EDIT: Ah, I see when I click "PATCHED APPLICATIONS" that there are the 5: two Aviras, two Dropbox, one Quicken. So now I know if I have any anomalies with these I can suspect the 0patch actions and disable if necessary
I emailed 0patch support about my amber/unable to connect concern and they responded right away that the app itself needs not to check for connection so quickly on computer wake.
I haven't purchased a license yet but likely will soon. FWIW "Installed patches" now total 320!!! My opinion will likely change the instant my PC starts acting-up, but I'm finding 0patch to be way more reassuring than MS ever has been, what with telling me exactly what is being patched where. Will be interesting to follow it along and see if I ever need to un-enable a patch.