[German]In Part 1, I described how I was able to install the February 2020 security update on Windows 7 SP1 using an ESU license and the ByPassESU solution. Part 2 now deals with securing a Windows 7 SP1 system after the end of support using the 0Patch micro patches. This is the solution that should also work for private users (free of charge).
The team of ACROS Security develops so-called micropatches at 0patch to close vulnerabilities in Windows or Windows software. 0patch has announced that they will provide security fixes for Windows 7 SP1 and Windows Server 2008/R2 after the end of support for Windows 7/Server 2008. I had already reported about this in the blog post Windows 7/Server 2008/R2: 0patch delivers security patches after support ends.
What we need
What you need first is a user account on the 0patch website. ACROS Security offers several models, which I already described in the blog post Project: Windows 7/Server 2008/R2 Life Extension & 0patch one month trial.
- For private users the free plan is sufficient, because ACROS Security intend to fix the most critical vulnerabilities in Windows 7 SP1 with micro patches (but on an exeptionla/ocassional base).
- For users in corporate environments, a Pro or Enterprise plan is available (that’s what I use). There are monthly micro patches for all critical vulnerabilities closed by Microsoft, where ACROS Security was able to create a micro patch – in some cases a vulnerability has a low risk and probably won’t patched.
Once a user account has been created with 0patch, the so-called 0patch agent need be downloaded and installed on Windows 7. If the browser gives a warning and asks if you want to keep 0PatchInstaller_xxx.msi, confirm this with Keep button. The installation of the 0patch agent requires administrative privileges, i.e. the user account control need to be confirmed by an administrator. Some notes on the installation and the 0patch console can be found in the blog post 0patch: Fix for Internet Explorer 0-day vulnerability CVE-2020-0674.
Knowledge: The 0Patch Service
After successful installation, a corresponding 0Patch service is set up under Windows 7, which always runs. Here is some information what you should know.
- Once everything is set up, this service pulls the patches available for the user account and stores them in an internal database. It is set up via the 0patch console (see below).
- The service ensures that when Windows 7 starts, the modules called can be monitored.
- If an application or Windows module for which a micro patch exists is loaded into memory, the service then injects the relevant code into the RAM area of the loaded module.
This is a functionally completely different approach to the way Microsoft updates are handled. A Microsoft Update is installed on Windows 7, and a number of files may be exchanged. Once the Microsoft Update is installed, the patches remain on the machine.
The 0patch agent cannot use this approach and inject its code into the program or Windows files. This is because it would damage the digital signature of the file in question, since the file has been manipulated. A verification of the digital signature would then trigger an alarm. Therefore the approach outlined above is used to load the micro patch into the memory of the running mode.
On the one hand, this is a ‘slim’ solution, since often only a few bytes need to be injected into memory with the fix. But if the 0patch service is not running or the 0patch solution is uninstalled, the protection is gone. The whole thing can be read in the user manual.
The 0Patch Console
To access the options that the 0Patch service can use, the so-called 0Patch console is available under Windows 7. This can be accessed by the user via the Start menu. During the first startup, a login screen appears in which the user enters the access data (e-mail address and password) for his 0patch user account. Based on these access data and the selected price plan, the agent decides which micro patches are available and loads them into the local database.
The figure above shows the user interface after a valid login to the user account. Use the icons at the top of the window to insert the individual categories (compare also the explanations here). Actually, you don’t need to set much and should only make sure that the 0patch agent has not been disabled via the console (see the Enabled option in the following figure).
If necessary, however, it is possible to deactivate individual micro patches for applications (see the following figure, the Status column for Applied Patches). The user manual provides detailed information on this.
he collision between the 0patch agent and Firefox 73 has now been fixed by Mozilla (see the blog post here)..
Testing whether the 0patch solution works
I have been asked by blog readers who were unsure if the 0patch agent would work. There is a good way to do a quick test under Windows 7. 0Patch offers a test page for Internet Explorer 11 which shows, if a micro patch from January 2020 works (see also this blog post). If this page is called up in Internet Explorer 11 under Windows 7, a message is displayed indicating whether the browser is protected.
In the figure above, the test page reports that the micro patch is not present – which is correct. I have disabled the agent for testing. If the 0patch agent is enabled again, Internet Explorer 11 should show a positive message.
Where is 0Patch at the end of February 2020?
The 0patch developers have published this blog post with information and this detail page about the patch status for Windows 7 and Windows Server 2008 R2 on February 22, 2020. There you can find information about all known vulnerabilities, a rating by Acros Security and, if applicable, about the vulnerabilities fixed by micro patch under a Pro or Enterprise account.
If you have a free account, you don’t really need this information, because Acros Security patches the most important vulnerabilities as long as the 0patch agent is running.
Wow! Windows 7 get extended support until January 2023
Windows 7: Free Extended Update Support and usage
Windows 7 Extended Security Updates (ESU) requirements
Windows 7 Extended Security Update (ESU) program available
Windows 7 Extended Security Updates (ESU) program, price and source for SMEs
Windows 7: Buy and manage ESU licenses – Part 1
Windows 7: Preparing for ESU and license activation – Part 2
Windows 7: ESU Activation inEnterprise Environment – Part 3
Windows 7: ESU questions and more answers – Part 4
Windows 7/Server 2008/R2: 0patch delivers security patches after support ends
Project: Windows 7/Server 2008/R2 Life Extension & 0patch one month trial
0patch: Fix for Internet Explorer 0-day vulnerability CVE-2020-0674