Title Required
RSS Channel: Comments on: Windows 10 will be covered by 0patch, a third-party paid patching service
Exploring the Future of Computing
Generator:https://wordpress.org/?v=6.5.5
Docs:http://blogs.law.harvard.edu/tech/rss

By: JTN
In reply to <a href="https://www.osnews.com/story/140078/windows-10-will-be-covered-by-0patch-a-third-party-paid-patching-service/#comment-10441332">Alfman</a>. It's likely. However for many people not upgrading to 11 is not about not having a TPM module but about all the major (and minor) issues that has been and still is a problem with Win 11. Like the L2 cache debacle for AMD cpus that is almost fixed but not entirely. I have been running Win 11 three times for a few months every time, and there is always something important that breaks. If it by definition can be important since I almost exclusively use Windows for gaming. While Windows 10 for the most part works like expected. I have a reasonably modern system (Ryzen 7 5800X), so it's not like I am trying to run it some ancient unsupported system using some hobby hack.

By: Alfman
In reply to <a href="https://www.osnews.com/story/140078/windows-10-will-be-covered-by-0patch-a-third-party-paid-patching-service/#comment-10441329">JTN</a>. JTN, <blockquote>I’m with you on this. It’s happened before and it will happen again.</blockquote> I understand the logic here. There's no scenario in which leaving users behind is good for microsoft, if the numbers are significant then microsoft will be forced to change course, but the question is how. Microsoft must realize that it would be better for them to get those users onto windows 11 than to let users linger on windows 10 indefinitely. So maybe at the last moment they will remove their own barriers that have been blocking users from upgrading to windows 11? Of course they won't get their new window OEM sales...it's probably a bit of an internal dilemma. Either way though it seems probable that microsoft have plans to break their declared positions on either windows 10 EOL or windows 11 upgrade compatibility.

By: JTN
In reply to <a href="https://www.osnews.com/story/140078/windows-10-will-be-covered-by-0patch-a-third-party-paid-patching-service/#comment-10441281">Milo_Hoffman</a>. I'm with you on this. It's happened before and it will happen again.

By: Milo_Hoffman
$20 says Microsoft will extend support for Windows 10 users at the last moment.

By: Artem S. Tashkinov
In reply to <a href="https://www.osnews.com/story/140078/windows-10-will-be-covered-by-0patch-a-third-party-paid-patching-service/#comment-10441157">Marshal Jim Raynor</a>. Yeah, the dude clearly understands nothing about security and networking. Posted the link three times thinking it would convince people that "Windows in insecure". Didn't work.

By: FriendBesto
In reply to <a href="https://www.osnews.com/story/140078/windows-10-will-be-covered-by-0patch-a-third-party-paid-patching-service/#comment-10441149">Alfman</a>. It's conceivable that an 0day in the browser coupled with a known privilege escalation vulnerability in the OS could expose users to higher risk levels. Something like this has been demonstrated before: https://www.sentinelone.com/blog/privilege-escalation-cve-2020-17087-cve-2020-15999/ Still, as long as the browser is kept up to date, and the user practices dilligence in what websites they visit, they should be fine.

By: FriendBesto
In reply to <a href="https://www.osnews.com/story/140078/windows-10-will-be-covered-by-0patch-a-third-party-paid-patching-service/#comment-10441145">kwanbis</a>. They "set up a Windows XP instance and configured it to be fully exposed with no firewall and no anti-virus software, just like the good old days". You perhaps missed my remark: if you're running from behind a Wi-Fi router, your machine doesn't expose any open ports to the internet that can be exploited. Here's an exchange from the comment system of the YouTube video demonstrating the experiment: "I had no idea that just connecting machines with obsolete operating systems to the internet could get you malware." "It can't. He's specifically operating in a way that circumvents modern protections that are built into our routers." You can run the experiment yourself, get the "Windows XP Professional (32-bit) (VirtualBox)" image from the Wayback Machine, load it up in VirtualBox, and play with it. There are many configurations where it will be able to have internet connectivity and not get trojans in 10 minutes.

By: FriendBesto
In reply to <a href="https://www.osnews.com/story/140078/windows-10-will-be-covered-by-0patch-a-third-party-paid-patching-service/#comment-10441150">Bill Shooter of Bul</a>. No, I'm not asking that. I'm asking specifically how would the malicious payload be executed on the machine? If the user will run a malicious .exe they downloaded from the internet, they have bigger problems than the OS being vulnerable to some privilege escalation CVE.

By: Alfman
In reply to <a href="https://www.osnews.com/story/140078/windows-10-will-be-covered-by-0patch-a-third-party-paid-patching-service/#comment-10441161">Bill Shooter of Bul</a>. Bill Shooter of Bul, <blockquote>No. Just as I don’t A/B test jumping out of a plane with or without a parachute. </blockquote> A/B testing is valid and useful, but the analogy as you've put it is flawed though. A better comparison would be A/B testing one parachute design versus a competing one.

By: Alfman
In reply to <a href="https://www.osnews.com/story/140078/windows-10-will-be-covered-by-0patch-a-third-party-paid-patching-service/#comment-10441153">Adurbe</a>. Adurbe, <blockquote>There is a distinction between a patch to a software provided by the developer that changes how the application behaves, and intercepting memory and injecting content. ... While Microsofts record hasn’t always been stellar, this technique utilised by 0patch is fraught with dangers. </blockquote> I don't think that's very fair. The techniques are effective and even promoted for hotpatching kernels like redhat. Frankly 0patch vulnerability resolution engineers may be more qualified than microsoft engineers writing OS code in the first place. If you read the examples I linked, 0patches solution is just as effective as microsoft's solution. <blockquote>While we all hold bias, mine is derived from seeing the techniques they use to “patch” as a means of data theft, surveillance an simple execution of arbitrary code.</blockquote> It would be interesting to put their respective engineers to a competency test, not that we;ll get to see that. For better or worse I think microsoft will always be given an automatic pass whether or not they actually deserve it, and other smaller competitors will be criticized whether or not they actually deserve it.

By: Bill Shooter of Bul
In reply to <a href="https://www.osnews.com/story/140078/windows-10-will-be-covered-by-0patch-a-third-party-paid-patching-service/#comment-10441156">Seeprime</a>. No. Just as I don't A/B test jumping out of a plane with or without a parachute. You look a the risk/reward *before* you do any tests. The risk is great, and what exactly is the reward? Not having to replace a PC or switch to a new operating system? Its really a question of how much you value the personal information and data stored on a PC. If its zero, don't do anything, live with the risk. If its more than the cost of the $25 a year but less than the cost of switching operating systems or buying a new pc, go for it I guess. If its worth more than the cost of a new PC, you just buy a new PC.

By: Marshal Jim Raynor
In reply to <a href="https://www.osnews.com/story/140078/windows-10-will-be-covered-by-0patch-a-third-party-paid-patching-service/#comment-10441144">kwanbis</a>. "configured it to be fully exposed with no firewall and no anti-virus software"

By: Seeprime
There are some unfounded comments about how safe, or legal, 0patch is. I suggest one test it got a period of time. I gave it one year. It outperformed Microsoft patches, with no issues. Expressing a concern is fine. So, A-B test it.

By: Adurbe
In reply to <a href="https://www.osnews.com/story/140078/windows-10-will-be-covered-by-0patch-a-third-party-paid-patching-service/#comment-10441151">Bill Shooter of Bul</a>. I'm with you on that. The scale you'd need to make it viable would have to be massive. And hiring devs with this kind of skillset is very very niche (in non-darkweb industries) so I can't see them being cheap on the market.

By: Adurbe
In reply to <a href="https://www.osnews.com/story/140078/windows-10-will-be-covered-by-0patch-a-third-party-paid-patching-service/#comment-10441148">Alfman</a>. There is a distinction between a patch to a software provided by the developer that changes how the application behaves, and intercepting memory and injecting content. While we all hold bias, mine is derived from seeing the techniques they use to "patch" as a means of data theft, surveillance an simple execution of arbitrary code. While Microsofts record hasn't always been stellar, this technique utilised by 0patch is fraught with dangers.

By: cevvalkoala
In reply to <a href="https://www.osnews.com/story/140078/windows-10-will-be-covered-by-0patch-a-third-party-paid-patching-service/#comment-10441143">kwanbis</a>. <blockquote>configured it to be fully exposed with no firewall and no anti-virus software</blockquote> He could perhaps also announce it as a challenge on the darkweb or something.