0patch now issued another micropatch to correct the official Microsoft patch that according to the experts is incomplete.
The root cause of the problem resides in the Window’s core dynamic link libraries “msrd3x40.dll.”
“As expected, the update brought a modified msrd3x40.dll binary: this is the binary with the vulnerability, which we had micropatched with four CPU instructions (one of which was just for reporting purposes).” wrote Mitja Kolsek, a researcher with the 0patch team.
“The version of msrd3x40.dll changed from 4.0.9801.0 to 4.0.9801.5 and of course its cryptographic hash also changed – which resulted in our micropatch for this issue no longer getting applied to msrd3x40.dll.”
Experts pointed out that the official patch doesn’t fix the vulnerability, but only limited it. The micropatch works on fully updated 32-bit and 64-bit Windows 10, Windows 8.1, Windows 7, Windows Server 2008 and Windows Server 2012, as well as other Windows versions that share the same version of msrd3x40.dll.
“So we BinDiff-ed the patched msrd3x40.dll to its vulnerable version and reviewed the differences. At this point we will only state that we found the official fix to be slightly different to our micropatch, and unfortunately in a way that only limited the vulnerability instead of eliminating it.” continues Kolsek.
“We promptly notified Microsoft about it and will not reveal further details or proof-or-concept until they issue a correct fix.”
0patch reported the problem to Microsoft and it plans to publish the official proof-of-concept code after the tech giant will fix it.
(Security Affairs – CVE-2018-8423, hacking)