Using off-the-shelf tools, exploits for software vulnerabilities can be crafted
in as little as 30 seconds after studying the vendor's patch, according to a
recently
published research paper.

The researchers focused on patches for five Microsoft software programs, which
were analyzed to find out how the applications were repaired. Using an automated
tool, an exploit -- or code designed to attack a machine a weak point -- could
be created in a few minutes or less after looking at the patch, they wrote.

The research means it is theoretically possible for hackers to start trying
to exploit machines a short time after the attackers have received the patch,
putting more PCs at risk of becoming infected with malicious software.

Already, hackers are pretty fast. Microsoft issues patches on the second Tuesday
of every month, and exploit code for some the publicly disclosed vulnerabilities
will usually appear the next day. They're able to do that through reverse engineering
and poking around the code to find out what's wrong.

But creating exploits faster would give hackers more time to find vulnerable
machines while Microsoft is in the process of distributing patches through Windows
Update, the company's patch download feature.

Even 24 hours after patches have been issued, only 80 percent of Windows machines
have called on Microsoft's servers, the paper said. That delay is intentional.
Other vendors similarly roll patches out gradually in order to reduce the burden
on their servers.

But that's probably going to have to change, the researchers said.

"One immediate consequence we suggest is that the current patch distribution
schemes are insecure, and should be redesigned to more fully defense against
automatic patch-based exploit generation," they wrote.

The researchers call the method "Automatic Patch-Based Exploit Generation."
One of the tools the researchers used to see what a patch fixed is a code-analysis
tool called eEye
Binary Diffing Suite.

In one example, the tool took less that two minutes to figure out the vulnerability
with the Windows Graphic Device Interface, used to display graphics. The problem
(MS07-046)
could allow an attacker to take complete control of a machine, and it was patched
by Microsoft in August 2007. The researchers were quickly able to craft a denial-of-service
exploit.

There are a few ways to keep attackers at bay, though. Vendors can create patches
that hide what they've fixed in order to make it harder to figure out.

Also, encrypted patches could be distributed, and then an encryption key released
once all the machines have the patches. The key would unlock the patch but prevent
reverse engineering until all machines are fixed. Another option is to use P-to-P
(peer-to-peer) networks in order to distribute patches faster.

The paper was written by David Brumley and Pongsin Poosankam of Carnegie Mellon
University, Dawn Song of the University of California at Berkeley and Jiang
Zheng of the University of Pittsburgh.

IDG News Service

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine