Patches Pose Significant Risk, Researchers Say
SecurityFocus (04/23/08) Lemos, Robert
A team of computer scientists has developed a technique that exploits patches and updates by automatically comparing the vulnerable and repaired versions of a program and creating attack code. The technique, which the researchers call automatic patch-based exploit generation (APEG), can generate attack code for most major vulnerabilities in minutes by automatically analyzing a patch design to fix a flaw. If Microsoft does not change how it distributes patches to customers, attackers could create a system that attacks the flaws in unpatched systems minutes after an update is sent out, says Carnegie Mellon computer science PhD candidate David Brumley. The technique is built on methods used by many security researchers, who reverse engineer patches to find vulnerabilities fixed by the update. Normally the process can take a few days, or even hours, but Brumley and his colleagues were able to use APEG to create exploits in five recent Microsoft patches in under six seconds each time. The system does not create fully weaponized exploits and may not work on all types of vulnerabilities, but it shows that developing exploits from patches can be done in minutes. The researchers suggest that Microsoft could increase the likelihood that customers receive patches before attackers can reverse engineer them by obfuscating the code, encrypting the patches and waiting to distribute the key simultaneously, and using peer-to-peer networks to increase the distribution of patches.
Click Here to View Full Article
No comments:
Post a Comment