Once we have a POC and know how the vulnerability was fixed by the people who know the vulnerable code best (i.e., Microsoft developers), we'll port their fix, functionally speaking, as a series of micropatches to the vulnerable code in Windows 7 and Windows Server 2008, and test them against the POC.
Sometimes a POC is published by security researchers soon after the official vendor fix is out (and sometimes even before) other times we can get one from our partner network or threat intelligence sources occasionally researchers share a POC with us privately and sometimes we have to create a POC ourselves by analyzing the official patch and working our way out towards the input data that steers the execution to the vulnerability. If the high-risk vulnerable code is found to be present on Windows 7 or Windows Server 2008, we'll start a process of obtaining a proof-of-concept (POC) for triggering the vulnerability.(For all intents and purposes, such vulnerabilities will be considered 0days for these OSs.)
For the identified high-risk vulnerabilities we'll inspect Windows Updates for supported Windows versions (e.g., Windows 10) to confirm whether the vulnerable code that was fixed in Windows 10 is actually present on Windows 7 or Windows Server 2008.Each Patch Tuesday we'll review Microsoft's security advisories to determine which of the vulnerabilities they have fixed for supported Windows versions might apply to Windows 7 or Windows Server 2008 and present a high-enough risk to warrant micropatching.With Windows 7 now officially at EOL, 0patch is adopting the following approach: The company will use security advisories that are issued by Microsoft to determine any vulnerabilities in Windows 7 and Windows Server 2008 that need addressing, and work to produce fixes.
Microsoft has - at least in theory - released the last update for Windows 7 that will be available to everyone. Following on from what it did with Microsoft Office Equation Editor, 0patch has already announced that it is going to " security-adopt" Windows 7 and Windows Server 2008.