Researchers defend study on patch distribution insecurities
1308 views 
Current patch distribution procedures are insecure, according to a team of university researchers who have demonstrated a way to automatically generate an exploit based on the unpatched and patched versions of software. But security pros have been critical of the warning, calling the threat minimal.
The researchers said an exploit could be generated in minutes using techniques for analyzing potential exploit paths. They demonstrated their techniques on five Microsoft programs using patches provided via Windows Update. One exploit generated by the technique caused Internet Explorer to crash and allowed the team to successfully hijack the vulnerable machine.
The researchers, David Brumley and Pongsin Poosankam of Carnegie Mellon University, Dawn Song of UC Berkeley, and Jiang Zheng of the University of Pittsburgh, said software updates that stagger patch distributions over long time periods could allow attackers who receive the patch first to compromise vulnerable systems. In their research paper, Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications, the researchers say software updates should be redesigned to be distributed to protect against patch-based exploit generation.
"Our research shows this intuition means an attacker can reverse engineer an input demonstrating the bug in as little as a few seconds," Brumley said in an email exchange. "It previously had not been demonstrated that given a buggy program and the patch, one could generate an exploit automatically."
The research was published in the IEEE Symposium on Security and Privacy in May. A team of researchers with the BitBlaze Binary Analysis Platform Project also contributed to the project.
The research has been greeted with much skepticism from security pros, who dispute that an active exploit could be generated quickly and easily.
Robert Graham, president of Atlanta-based Errata Security, called the paper "a bit overstated" in the Errata Security blog, and said patch engineering is a time consuming process.
"Generating fully functional exploits by reverse engineering a patch takes a lot of steps, this paper automates only one of them, and only in certain cases," Graham said.
Post new comment