On May 18 security researchers will gather at the IEEE Symposium on Security and Privacy. One of the papers to be represented is "Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications" by David Brumley, Pongskin Poosankam, Dawn Song and Jiang Zheng. These researchers showed how given a Microsoft patch, they were able to reverse engineer the patch and create a quick exploit to the original code. Their point was to show how Microsoft's current deployment of patch shipment is at fault, allowing attackers access to an exploit before other users have even begun to download the patch, a system which requires a redesign.
This seems like big news, even security expert Bruce Schneier took the time to blog about this research. The researchers conclude that current patch distribution schemes are insecure. The researchers do provide alternatives but for the meanwhile I find that these claims aren't mature enough, in a security manner of speech. After all, is that what we want - that Microsoft eliminates its patching process now that it knows that the vulnerability may be exploited as a result of distributing the patches?
That said, the research do have a point - the timeframe of hackers to attack unpatched systems is quite large when these systems rely on patch deployment as their sole means of protection.
This argument actually strengthens my claim that it is necessary to deploy 3rd party components which provide virtual patching in order to minimize the window of opportunity for attackers. These virtual patches can be deployed quickly, providing a fast response time to protect against a potential attack by acting as the front guard before the system itself is properly fixed and updated.
Leave a comment