Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: The Patch Window is Gone: Automated Patch-Based Exploit Generation - SANS Internet Storm Center SANS ISC InfoSec Forums

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
The Patch Window is Gone: Automated Patch-Based Exploit Generation

For some time, many researchers have been pointing to the fact that the "patch window" (the time between a patch being released and an exploit being developed) has been decreasing. A few years ago, the ISC's Johannes Ullrich did a presentation on this subject which showed the patch window decreasing to a few days. Today, another Handler, Mari Nichols, pointed me to this research from a joint project between Berkeley, University of Pittsburgh and Carnegie Mellon.

For some time, it has been known that the patch can be reverse-engineer to help attackers write an exploit for a vulnerability that might not be fully detailed in public accounts (for good reason). The bad guys have gotten pretty good at this where they can turn around an exploit in a day or so after a patch is released.  What is interesting about this research is that they developed means partly using off-the-shelf tools to make this process automatic.

In some of the cases they tried, they claimed to be able to create an exploit in minutes after receiving the patch and comparing the patched version of the application with the unpatched version. To be fair, their process seemed "dirty" such that more often than not the exploit created crashes or DoS type exploits and several attempts were needed to get something closer to viable. The process often took minutes so when/if the method is improved it could be trivial to create something that grabbed patches ASAP, turn an exploit in minutes and start infected vulnerable machines before 3am during the monthly patch dump with automated patching.

A solution suggested by the authors is "secure distribution of patches". To me, this is meaningless. You need to get patches out to people with a minimum amount of effort. This is why automated patching was such a good thing. But even if you encrypt, require passwords and logins, etc... you are going to delay the time for legitimate people to patch, and attackers (who are perfectly able to buy Windows legit) will grab the patches quickly anyway. You'd only make the window of vulnerability longer by making things secure without a tangible benefit.

Solution: Not much, we've known the window was closing for awhile. Responding quickly and proactively to threats is still a must and the use of temporary workarounds will probably raise in value. Thoughts? Send them my way.

John Bambenek / bambenek {at} gmail [dot] com


239 Posts
ISC Handler
Presumably, the answer lies, not in spending ones time sticking fingers in the holes in the dike - but in building a better dike in the first place !


Sign Up for Free or Log In to start participating in the conversation!