News

0Patch Promises Two More Years of Patch Support for Windows 7 and Windows Server 2008 R2

• By Kurt Mackie
• 01/11/2023

Microsoft this week ended its patch support for Windows 7 and other venerable Windows products, but one company, 0patch, is saying that it'll provide fixes for "Critical" security issues for another two years.

0patch, which issues so-called "micropatches" for other companies' software, is part of Acros, a security research company based in Slovenia. In October, 0patch announced that it will provide two more years of Critical security patches for both Windows 7 and Windows Server 2008 R2. In January, 0patch announced patch support for the Microsoft Edge browser on those operating systems. It'll also offer two years of Edge patch support for Windows Server 2012, another Microsoft product that will fall out of support this year in October.

Micropatching Explained
To hear 0patch explain it, in-memory micropatching comes with reduced risks over conventional patches from software vendors that may change the source code. The patches get downloaded from 0patch's servers, but get applied in memory.

Here's how micropatching was explained by Mitja Kolsek, 0patch's cofounder, via e-mail:

Our patches get downloaded from 0patch servers, stored on the computer and applied in memory of running processes whenever needed. They are very different to official Windows updates, which replace entire executable files -- 0patch patches are very small and only correct a very targeted piece of code to remove an individual vulnerability each. You can find out more about them here.

Organizations can test 0patch's micropatches on a group of computers if they want. The micropatches can be easily removed, too, without a PC reboot.

"Fortunately, applying and un-applying any one of our patches is an instant event (because it all happens in the memory) and does not require a computer restart or even relaunching the patched application," Kolsek explained.

The micropatches don't change Microsoft's executable files. "0patch patches are very small and only correct a very targeted piece of code to remove an individual vulnerability," Kolsek indicated.

The micropatch concept maybe sounds too good to be true, and it would solve a lot of problems that organizations have in keeping current with Microsoft's software. So I asked Kolsek why Microsoft doesn't do micropatching for its customers. Here's his interesting response:

Microsoft has been experimenting with in-memory patching back on Windows Server 2003, but that hasn't gained ground for some reason. Last year, they started providing "hotpatching" on Azure-based Windows Server 2022, which is somewhat similar to what we do. There is no proprietary technology involved in our solution as what we do has been known for decades -- it's just that we have created an affordable and easy-to-use service that addresses the needs of many Windows users.

0patch creates its Critical micropatches based on its work with the greater security research community and published proof-of-concept code. It doesn't get any specific help from Microsoft.

"We do not currently get any non-public information from Microsoft, nor is there any collaboration there," Kolsek said.

The Compliance Question
Compliance may still be a concern for organizations adopting the 0patch approach. It just gets assured by an auditor assessing 0patch's solution. Here's how Kolsek explained that aspect:

Standards and regulations that various organizations must comply with have different requirements for patching and mitigations, but none that we know of explicitly mention unofficial or third-party patches. It is therefore up to the auditor to decide how to categorize 0patch in the context of these requirements, which they also do in case of mitigations that organizations put in place for preventing exploitation of unpatched vulnerabilities.

"We make licensing very simple by requiring one license for every computer that has 0patch Agent registered -- whether it's a workstation or a server, a virtual or physical machine," Kolsek indicated.

The company offers Pro and Enterprise subscription options:

A "PRO" license costs 24.95 EUR/year (2.50 EUR/month) and is suitable for small businesses that don't need central management, while an "Enterprise" license costs 34.95 EUR (3.50 EUR/month) and brings central management, group management, unattended installation, automatic registration to selected groups, SAML single sign-on, and additional features in the near future.

0patch doesn't patch vulnerabilities within the Windows kernel or .NET code. The limits of its micropatch approach are described in this 0patch article. A link to its frequently asked questions page can be found here.