This vulnerability was actively exploited on all versions of Windows, especially on Windows 7. Unfortunately, Microsoft announced that they would not be releasing any new updates until Patch Tuesday in February. That is why 0patch released a micro-patch to help those affected by the vulnerability.
0patch acts before Microsoft does
Microsoft did publish a workaround to the issues, this has its own set of flaws.
Because the provided workaround has multiple negative side effects, and because it is likely that Windows 7 and Windows Server 2008 R2 users without Extended Security Updates will not get the patch at all (their support ended this month), we decided to provide a micropatch that simulates the workaround without its negative side effects.
Microsoft’s workaround comprises setting permissions on jscript.dll such that nobody will be able to read it. This workaround has an expected negative side effect that if you’re using a web application that employs legacy JScript (and can as such only be used with Internet Explorer), this application will no longer work in your browser.
Among the side effects of using the workaround, several were mentioned:
- Windows Media Player breaks MP4 files.
- SFC chokes on jscript.dll
- Printing to Microsoft Print to PDF breaks
- Proxy automatic configuration scripts (PAC scripts) may not work
For those of you that haven’t used the 0patch platform yet, you should know that the micro-patch is available in 32 and 64-bit formats for the following versions of Windows:Windows 7, Windows 10 v1709, Windows 10 v1803, Windows 10 v1809, Windows Server 2008 R2 , and Windows Server 2019.
Did you test the 0patch update yourself? Tell us if it fixed any of the vulnerabilities you may have encountered.