14 DAY TRIAL // Windows 7 monthly rollup KB4103718 and security-only update KB4103712 break down networking on computers installing them, and while Microsoft has already acknowledged the problems, a fix is yet to be provided to impacted systems.
In the meantime, however, 0patch has released a third-party Windows 7 update that addresses the security vulnerability detailed in CVE-2018-8174, and also fixed in Microsoft’s botched patches, without actually causing any other problems on Windows machines.
While some people might be reluctant to installing third-party Windows updates on their systems, an in-depth analysis published by 0patch shows exactly how their team of engineers managed to determine the root cause of the issue and resolve the vulnerabilities without breaking down network connections like Microsoft’s original fixes.
“Our micropatches for this vulnerability have been labeled ZP-320 and ZP-321 for 32-bit and 64-bit version of oleaut32.dll respectively, and are applicable on Windows 7 and Windows 2008 Server updated up to April 2018 Windows updates,” 0patch co-founder Mitja Kolsek explains.
The vulnerability
CVE-2018-8174 is a remote code execution vulnerability in VBScript engine, and an attacker can successfully exploit it using a crafted website loaded in Internet Explorer or applications using this browser engine. The flaw exists in all versions of Windows, including in Windows 10, and Microsoft has already patched it.
But with Windows 7 updates causing networking issues, some users might decide to remove them, instead leaving their computers open to attacks.
Microsoft itself has already acknowledged attacks aimed at this flaw in the wild, and this emphasizes just how critical it is for users to keep their devices protected.
“An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft says.
The next Patch Tuesday takes place on June 12, though there’s a good chance that a revised update for Windows 7 systems might be released by Microsoft in the coming days.