Third Party company release patch for the data-leaking Windows Vulnerability Microsoft forgot to fix

Windows users are currently exposed to two known zero-day exploits after Google revealed the presence of these inevitable flaws in Windows before Microsoft was ready to fix them.

In fact Microsoft had cancelled the whole of Patch Tuesday last month after running into “last-minute issue that could impact some customers and was not resolved in time for our planned updates,” leaving Windows users uncharacteristically exposed.

Now security company ACROS Security has released what they call their first nano-patch for CVE-2017-0038.

CVE-2017-0038 is the bug in EMF image format parsing logic that does not adequately check image dimensions specified in the image file being parsed against the amount of pixels provided by that file. If image dimensions are large enough the parser is tricked into reading memory contents beyond the memory-mapped EMF file being parsed. An attacker could use this vulnerability to steal sensitive data that an application holds in memory or as an aid in other exploits when ASLR needs to be defeated.

Their free patch is available for Windows 10 (64-bit), Windows 8.1 (64-bit), and Windows 7 (64bit and 32bit) and is meant to serve as a temporary solution until Microsoft releases its own fix, and is delivered by their 0Patch Agent app.

We have not heard of widespread exploits of this issue in the wild yet, and adding unknown 3rd party patches to your OS is probably not a good idea from a reliability point of view. If however you are desperate to secure your PC from this threat you can read more about the patch and its install procedure here.