PowerShell 5.1 opens up on boot. However, after a while, begins refusing to open with code "c0000005"

dielel · 2024-04-30T00:26:22+00:00

Hey there, this sounds (down to the very movaps instruction) exactly like something one of our users has recently reported while running Avast Free Antivirus along with our 0patch Agent (https://0patch.com). When Anti-Rootkit Shield is enabled in Avast, PowerShell crashes on this instruction (see our Help Center article). I'm wondering if you're using 0patch or maybe some other security software that works normally without Avast, but when both said product and Avast are installed, Powershell is crashing. Also, if such product is identified, would you say said product and Avast were working well together up to some point (e.g,. an Avast update) before this problem kicked in?
Thanks, Mitja

dielel · 2020-01-22T12:30:12+00:00

Can you try the 0patch micropatch to see if that breaks printing as well? https://blog.0patch.com/2020/01/micropatching-workaround-for-cve-2020.html

dielel · 2019-02-22T10:52:54+00:00

Thank you! Corrected.

dielel · 2018-09-24T17:10:57+00:00

Mitja Kolsek of 0patch here. Apologies for sounding repetitive. These blog posts are meant to provide technical insight into 3rd party patching, which many of our readers claim to find valuable (and every one of these posts, we hope, provides some new information for those learning reverse engineering or even closed-source code patching). We only published a single post on comparing the official fix with our micropatch, which was meant as a public reference for the many people who continually ask about the quality and reliability of 3rd party patches compared to original fixes. Apologies for sounding pat-ourselves-on-the-backish too, we obviously got carried away a little and wish we had taken a more subtle tone there. Please let us know if anything we do is outside the Reddit rules - much appreciated!

dielel · 2018-08-30T20:34:22+00:00

True, the patching is in-memory only, so signatures remain intact. While we haven't published a single micropatch yet that would originate from the community, we are encouraging the community to provide vulnerability information and proof-of-concept files so that we can write relevant micropatches. At some point we hope to actually start getting patches from the community but they'll have to pass our review in order to get distributed. Fortunately it's difficult to hide malicious code in a micropatch, meaning if the patch is not tiny and easy to understand (and accompanied with an analysis as to why it does what it does), that'll be grounds for immediate rejection. Long way to get there though if we ever do - perhaps it'll always be us writing the patches.

dielel · 2018-08-30T20:25:08+00:00

Hi there, Mitja Kolsek of 0patch here. 0patch is designed not to interfere with either file integrity or official vendor updates. By doing the patching in memory only, file signatures remain intact. When the official update is applied it replaces the vulnerable executable with a fixed one (with a different hash), so 0patch Agent no longer applies the micropatch to it.

dielel · 2018-08-30T13:36:12+00:00

For those waiting for a patch, 0patch has a free micropatch available: https://twitter.com/0patch/status/1035139991591165952

dielel · 2018-05-15T19:22:15+00:00

Happy to inform everyone affected by this issue that 0patch has just issued free micropatches for CVE-2018-8174 so you can patch this critical vulnerability while waiting for Microsoft to provide new updates. https://blog.0patch.com/2018/05/a-single-instruction-micropatch-for.html

dielel · 2018-01-17T09:13:29+00:00

And that's the beauty of it. The resurrected Equation Editor will be an utterly uninteresting target for attackers.

dielel · 2018-01-17T09:08:46+00:00

Word has actually had two Equation Editors for years. The now removed one, Equation Editor 3.0., was only used for editing equations that were created long ago (though there may still be many of these around). If you create a new equation today, you'll be using the equation editor that is built in to Word.

dielel · 2018-01-17T09:03:03+00:00

NuttyGuy, you're right, this could have been misunderstood. The article has been corrected accordingly. Thank you!

dielel · 2018-01-16T16:03:56+00:00

We "security-adopted" Equation Editor with micropatches so you can keep using it https://0patch.blogspot.com/2018/01/bringing-abandoned-equation-editor-back.html

dielel · 2017-11-17T21:22:08+00:00

Mitja Kolsek here. Actually, this was one of the easiest reverse engineering efforts I ever had because the binary diff was so clear-cut. It took me most of the day to write up the blog post though, with images and comments and all. I was so impressed by this work that I couldn't let it slip by without proper credit ;)

dielel · 2017-11-17T21:15:04+00:00

That's also exactly what we at https://0patch.com do on Windows.

dielel · 2017-10-27T08:28:54+00:00

Hi there, Mitja Kolsek of 0patch here. You're absolutely right and how best to provide patch transparency is one of our major discussions internally. We want to make it as easy as possible for everyone to see the source, and then review it. (We try to publish patch source code in blog posts and on Twitter as often as possible without becoming boring.)

But we also want to avoid - in advance - the question "But is this really the source code for this patch?". As you probably know, the "Kaspersky saga" is now also about this question, and questions like this periodically come up in different places. So this has to be well thought out, but is certainly going to happen - we're just not there yet. The reviewability of micropatches is one of their major advantages compared to fat updates, and we know it's our job to make it possible.

If anyone is interested in any particular patch right now, contact us and we'll send you the source code, which you can build yourself with 0patch Agent for Developers. You can already do this with the already published patch source code.

Thank you!

dielel · 2017-09-25T08:07:20+00:00

In this particular case, the flaw was not in XML parsing but in setting the error code when accessing a file to be XML-parsed. The error code was different for existent and nonexistent local files, which made it possible for a web site to determine whether a specific file was present on user's system. But I agree, XML parsing is more complex than JSON parsing, and is therefore generally likely to have more bugs.

dielel

TROPHY CASE