Patches Pose Significant Risk, Researchers Say
SecurityFocus (04/23/08) Lemos, Robert
A team of computer scientists has developed a technique that exploits patches and updates by automatically comparing the vulnerable and repaired versions of a program and creating attack code. The technique, which the researchers call automatic patch-based exploit generation (APEG), can generate attack code for most major vulnerabilities in minutes by automatically analyzing a patch design to fix a flaw. If Microsoft does not change how it distributes patches to customers, attackers could create a system that attacks the flaws in unpatched systems minutes after an update is sent out, says Carnegie Mellon computer science PhD candidate David Brumley. The technique is built on methods used by many security researchers, who reverse engineer patches to find vulnerabilities fixed by the update. Normally the process can take a few days, or even hours, but Brumley and his colleagues were able to use APEG to create exploits in five recent Microsoft patches in under six seconds each time. The system does not create fully weaponized exploits and may not work on all types of vulnerabilities, but it shows that developing exploits from patches can be done in minutes. The researchers suggest that Microsoft could increase the likelihood that customers receive patches before attackers can reverse engineer them by obfuscating the code, encrypting the patches and waiting to distribute the key simultaneously, and using peer-to-peer networks to increase the distribution of patches.
I know I should treat all this as a challenge but I’m ready to pull my hair out. We work to keep everything patched to a safe level, which requires a lot of time. If one is using WSUS for the windows patches, that’s scheduled and pushed out on a regular basis, but that means there are gaps and the machines are vulnerable for a certain amount of time between patches. GAG. If one is letting the computer do the automatic updates, you are at Micro$oft’s mercy as to which download group the machine will be in. I’ve had 3 day gaps between machines getting the same updates pushed out. Does that sound safe?
Not so much.
Feh. I think I’ll take up painting or something and see if I can make a living from that. Umm hmm.