back to article MS patch system poses 'significant risk', say researchers

A group of four computer scientists urged Microsoft to redesign the way it distributes patches, after they created a technique that automatically produces attack code by comparing the vulnerable and repaired versions of a program. The technique, which the researchers refer to as automatic patch-based exploit generation (APEG), …

COMMENTS

This topic is closed for new posts.
  1. Chris Miller

    Obfuscate the code?

    Have these guys actually looked at any of the MS code that's available to view on the web? It looks pretty damned obfuscated to me!

    If they have a tool that can take program source that's been subject to maintenance patches over many years and somehow 'understand' what's going on, they've got a much bigger target audience than a few hackers.

  2. Ideala2
    Paris Hilton

    Paris... but i'm on a phone...

    and don't want to go icon hunting...

    i'm still... Slightly confused...

    a third are exploited before or after...

    does this just mean two thirds never have an exploit?

    (Wasn't so hard to find after all... thankyee opera)

  3. Matt

    Other OSs

    Not wanting to start a war about which is best, but surly this isn't limited to Microsoft. In fact with open source there's no need to reverse engineer as you can get the source and see for yourself.

    On the other hand I've seen no evidence that patches for open source products are exploited any more, or less, because of this.

  4. Anonymous Coward
    Anonymous Coward

    Maybe they should start with the basics?

    I'm OK with that perfection isn't possible in complex systems, but "the most secure OS to date" Vista demonstrated that MS is far from getting a handle on the root problems - their priorities and the structure of Windows itself.

    The need to sell a new version and thus inflict new (and seemingly badly tested) code on end users conflicts heavily with efforts to get to a stable code base in the first place, and the net result has been that MS has lost the last bit of trust they had from business, who are finally starting to vote with their feet. If it wasn't for the pre-load monopoly the numbers would be even worse.

    Users have enough resource hugging features already (compare what Linux Compiz does with 3D graphics to Windows Aero) - maybe MS should focus on getting its own house in order before trying to "help Intel".

    And they're promising a new version again..

  5. Jack Harrer
    Dead Vulture

    Re: Obfuscate the code?

    That's what virus writers have been doing for years!

    Call it a full circle...

  6. Anonymous Coward
    Anonymous Coward

    Linux higher risk?

    Love it, I really do, I use it all the time.

    But with automated updates less likely and a more random patch cycle and as the guy above says you can look at the source. Surely there's a more significant risk there.

    Oh, and net stuff like Apache announce their version numbers as soon as you look at them....

  7. TimM

    Generate in seconds, but...

    ... it takes a lot longer than that to distribute. Probably the majority of viruses and malware fail to get anywhere significant anyway.

    By which time most people with any sense have got the patch and/or their anti-virus software will have been updated to catch the virus / malware that delivers the attack (or firewalls block it).

    The attack is one thing. It still needs to be packaged up and delivered to the vulnerable some how.

    And yes, as said, it's the same with any other OS. Technically worse on Linux because the vulnerability is discussed in an open forum before the patch is created, whereas Microsoft's are often not known until the patch is released. But yeah, Linux is more secure and all that, at least in that it's less likely you'll get infected in the first place (except I would say if you run a web server with PHP which is more of a security risk these days than IIS, particularly as very few admins bother to patch up all the PHP apps they have running).

  8. Ken Hagan Gold badge

    (untitled)

    As far as obsucation is concerned, I think the point is that the patches could be distributed in encrypted form and the decryption keys distributed afterwards. Since the keys are very small, we'd go from a state of "no patches visible" to "all patches applied" in a very short space of time. The window of opportunity closes.

    However, I'm sure we've all read claims that the majority of compromised systems were nobbled using exploits which MS patched many months or years earlier. If MS have persuaded everyone to plug into automatic updates, then that's a sea change from a few years ago. It's also rather unlikely, since corporate admins tend to hold back on applying patches until they've tested them. The window of opportunity is not allowed to fully close.

    The solution is not to need patches in the first place. But no-one manages that.

  9. Anonymous Coward
    Anonymous Coward

    Security Utopia

    There is no such thing as an uncrackable system - THEY CAN ALL BE CRACKED ! Enigma anyone ?

    To use the burglar comparison if you have an alarm, window locks (no pun intended), guard dog, blah blah and your neighbour does not you can guess who the burglar is going to go for.

    Or the car analogy (groan not this one again) where 95% of people own a Ford then if you know how to break in to a Ford presto you know how to break into 95% of cars and why bother with the other 5%.

    Computers are like life - don't go to down town Johannesburg at 2.00am waving you wallet around if you enjoy breathing !

  10. frymaster

    re: Other OSs

    Wasn't there quite a severe (as in: actually exploited heavily) problem with either apache or ftp, where one middle-level paper-pusher involved in a distro pushed out a fix in advance of the agreed-on-with-other-distros time, resulting in the other distros getting severly hacked?

    This is another reason for a monthly cycle - so everyone knows exactly when to update their machines(although the other - to help IT departments have a more regular testing cycle - is kinda at cross-purposes to this)

  11. R Callan
    Linux

    Security Utopia by AC

    Enigma was not expected to be totally secure. Because it was used for tactical reasons the reasoning was that by the time it was cracked the imformation included was out of date and therefore useless. Geheimschreiber on the other hand, Colossus anyone?

  12. amanfromMars Silver badge
    Flame

    It is all just AIMatter of Judicious Political Application or ITs Abdication thereof

    "The researchers suggested possible avenues that Microsoft could pursue to increase the likelihood that customers received patches before attackers could reverse engineer them, including obfuscating the code, encrypting the patches and waiting to distribute the key simultaneously, and using peer-to-peer distribution to push out patches faster."

    It is hard to beat the transparent sharing of worries, such as this tale which we have just read, to realise that the Master Control Program is being made up on the Hoof, and is in Present Jeopardy of Imminent XXXXPosure and Cataclysmic NEUKlearer Collapse, rather than Forging a Way Ahead into the Future, with Unrivalled Knowledge and ITs Paths Known and Home Grown in Imagination.

    That is an interesting Phishing XXXXpedition, Robert Lemos, SecurityFocus. And should you consider that the Sprat Bait has landed a Whale or a Shark or hooked a Mine or even Energised another worriesome Attack Tangent, and one would then need to consider one's own complicity in the vector and whether third party security firms are an unnecessary Vulnerability to the System they are feeding off to protect, [ye olde Banking System, Beneficial Parasite Enigma], although of course, to consider that such is necessary for a System Vulnerability rather than a Beta Intelligence making the System Totally Aware of ITs Myriad Internal Bleed Faults, would be an Interesting CyberIntelAIgent Stealth akin to a Contemporary White Knight/White Hat Wraith/Alien Concept which Mortals may prefer not to Comprehend because of the Universal Implication ...42MisUnderstand for the Further Serving of Profit rather than Prophecy. IT is though, not a sustainable Intelligently Designed Path, Spiralling Debt dressed as Credit to Feed Machines ProgramLed by WarMongers, is it.

    But do not take such a worry from just the Posted HyperRadioProActive Voice in the CyberIDEntity ProgramMIng, amfM. Read about it further here .... http://www.nsa.gov/public/pdf/challenge_signit.pdf .... where the following struck a Realtive Chord .....

    <<< So-here's our challenge. Regard the last 20 years as a period of relative stability. Think about the systems, deployments, hardware, procedures, organizations, and best uses of all of our resources, especially our own personal time. Press forward with vigor, but stay flexible. Don't try to stick toO long with an obsolete project. Try to

    achieve that nice distinction between the visionary and the

    tried and true, which leads to the efficient, effective, practical. Don't be afraid to beg, borrow, buy or steal an idea. It might be better than one of our own pet brainchildren. Don't overestimate what we can do within the next few months. Don't underestimate what the

    "industry" will do in the next few years. Learn the capabilities and limitations of what's going on in all of the relevant fields. Don't be held back by yesterday's limitations if we can see that they may reasonably be removed. Don't become wedded to a single technique or a single organization concept or a single procedure. Compare the

    competitors with a cold, managerial eye and be quick to change direction when the facts indicate. We can create the systems to do the work.>>>>>

    Which one would have to answer with "Yes, you can, but you don't, and you haven't. Why not? Please Justify with an XXXXPlanation?

    "Slightly confused... a third are exploited before or after...does this just mean two thirds never have an exploit?" .... By Ideala2

    Posted Friday 25th April 2008 07:52 GMT ...... In your dreams, Ideala2, it just means that they haven't been [yet] exploited. Which leaves the System riddled with Future Worm Holes for Entry into the Core/Code Base. And that suggests that the System is Fatally Flawed to ITs Root Source Ways and therefore in terms of Secure Use, Useless.

    Or would you like to Disagree?

    It is however most easily fixed from the Top Down with New Root Source Ways for then would the Program and ITs ProgramMINg be Immediately Different and more IntelAIgently Designed for the Changed Paradigm of BasICQally Visualising and Virtualising Intangible CyberSpace with Global Operating Device Powers for Reality Controls ...... which ought to give old Time religion something to shout about Amen, Allahu Akbar, Let their be Light without Might and Maybe .....

    You may like to consider and graciously accept that One does NOT have any Negative Choice in the Matter and to revisit "Naked Emperors .... Executive Global Administrations .... " ...Posted Thursday 24th April 2008 18:18 GMT http://www.theregister.co.uk/2008/04/24/xp_ballmer_customer_demand/comments/ ....as armed with further Information will give Greater Understanding to Uncover ITs Plain Truths for dDeeper Meaning.

    Mein Gott, is IT Friday again, already? Where does Time Go when IT Flies?

    And the Flame because it's hot down there amongst all the Losers and not all XSSXXXXually for they cannot Handle that Gem of a Gift making it Plain for all to see their Greed and Need and their Fundamental Weakness and Degenerative Flaws.

  13. Chris
    Thumb Up

    Doesn't this just prove

    ...that the most insecure systems are those with unpatched, known vulnerabilities.

    For the sake of your systems install all security patches as soon as they are available.

    I still believe the Open Source method is better as the turn-around is much quicker and it doesn't depend on a monthly release cycle.

  14. Wize

    Erm...

    "In its recent Security Intelligence Report, Microsoft found that a third of the flaws patched by the company were exploited either before or after the update was released."

    I'm guessing the other two thirds happened during the same millisecond the updates get released?

  15. Bronek Kozicki

    so much innovation...

    towards exploiting program vulnerabilities, and so little towards preventing them in the first place. It would be sad if inventors of discussed technique do not utilize gained expertise to create better analysis tools that all developers (not only Microsoft) could use to prevent bugs from endangering the public.

  16. Andy Turner

    It's no wonder that

    Vista is supposedly slower/bloated. It must have so much code in it to validate parameters and data over and over again as its manipulated in memory in case it gets injected with malware crafted data. Long gone are the days where you could make assumptions about the calling patterns of your methods because your methods are private and supposedly will only get called from known internal sources. Without all this checking required because of the bloody malware crims, Vista could probably run considerably faster.

  17. Kanhef
    Boffin

    Code obfuscation

    can be done on machine code, after compilation. Remove variable names, line numbers, and other debugging info. Use branch statements to turn it into spaghetti code; the processor doesn't much care, but decompilers will choke. Maybe bring in some steganography, replacing add (n) with sub (-n) and the like. Add some randomization so repeated runs on the same code won't produce the same result. Even minor changes to the source will result in sufficiently different executables as to make diffs useless.

  18. Geoffrey Swenson

    So do they have any suggestions of what M$ should do?

    Whatever Microsoft deos, there is going to be the previous version to compare with the new version. i doubt that obfustication will work, it is just a variant of security by obscurity. Since the code still has to generate actual instructions, there will be something to compare with no matter what they do.

    Perhaps microsoft needs to look at the code being generated by the Black Hats and find ways to reverse-engineer what the exploiters are doing. I wouldn't surprised that they are already doing this. They could then litter the patches with some chaff designed to look like changes to the malicious code bots. But I don't think it would take very long before the code bots were redesigned to detect the fake changes and only focus on real ones.

    These researchers have found something all right, but it would be more useful if they actually have found some way to prevent this kind of pactch code comparison being done. Somehow I think that Microsoft is probably already aware of this/

  19. amanfromMars Silver badge
    Alien

    Only the Messenger ..... Don't Shoot the Message, Fix IT with a Better Product.

    "So do they have any suggestions of what M$ should do?"

    What else can they do other than release a new OS which doesn't need patch protection/isn't full of back doors and windows which allows Programmers and Systems Analysts to see and seize Opportunities and/or Vulnerabilities. It is not so much that the System is Hackable, it is more that it is full of Cracks, and that is all down to Microsoft in the Final Analysis.

    And yes, I would agree with you that Microsoft is probably already aware of this..... which makes them Liable for any Losses incurred if the System is sold without clear documentation chronicling the Inherent Failings and Probable Cause Attack Vector?

    Which really makes it pretty worthless for any Security consideration until such Time as they can address such concerns. As a toy system, it is fun to play with though.

    An Alternate Solution would be to take AI Control of the Cloud and Virtualise their Control Kernel making IT QuITe Impossible for any Unauthorised Access without first Registering Oneself and Proving Oneself Fit for the Purpose of Rendering ITs Key Codes/Accesses/Benefits. MeThinks, that would be the much Easier Option and the more Advanced One2 and being as it would necessarily be a Top Down Application, FailSafe Secured in a Need2KnowFeed42Know XXXXecutive Administrative Paradigm.

    PS El Reg ..... your "Posted Saturday 26th April 2008 10:11 GMT" clock is one hour reading late.

  20. Ross

    Looking into my crystal ball I see....

    One sentence stood out for me in that article.

    [As reverse engineering gets more prevalent in the industry, you should be generally thinking about how to change your code to make it harder to do.]

    So, how many months do you think it will be before *all* reverse engineering is illegal?

  21. suc
    Thumb Down

    this research is pure FUD because every OS would be affected

    this research is pure FUD because every OS would be affected, NOT just only Microsoft. Open Source software would be also more vulnerable, because you can exploit the flaws just after you compared the source code.

  22. Andrew Barratt
    Boffin

    Patch or no patch, that is the question.

    The problem is that however MS or anybody else for that matter choose to distribute their security patches to customers a customer can always be a bad guy running an APEG like system.

    Obfuscating wont work if all the tools are designed to do completely automated analysis and testing.

    Encryption, oooh they can't steal it in transport. No use if the APEG is being run by a bad guy with a genuine subscription (and hence decryption keys).

    Until vendors start getting products right before release, patch management has to be made very slick and patches installed once tested. Minimise the risk of exploit.

  23. Anonymous Coward
    Unhappy

    Nothing new here

    This has always been the case. Most of the major worms in the past 10 years did not surface until after the patch was available. Malware authors know people are lazy or naive and many will fail to apply their patches.

    In terms of protection from zero day exploits, one approach would be to encrypt the update with a random key and push it down through Windows update where it remains dormant. A day or two later, push down the key to decrypt and install the patch. Until the key is pushed down, the malware author can't tell what is being patches, and can't use difference techniques to discover the exploits. At the time the key is known to the malware authors, many more doors would be closed.

  24. SpitefulGOD
    Gates Halo

    Back to basics

    And stealth updates, I always knew that that was the best way for Microsoft to fix their issues (before the beardy's stuck their nose in anywho).

  25. Jim Paradyne

    Just get better at patching?

    Surely thats the answer?

    If it is taking a month to roll out patches then the window of exploit is HUGE!

    A month you say? Well that is the amount of time that Microsoft allow for patching within their own network (according to the SMS training guide)

    If you use old dated patching systems like SMS, Altiris, LanDESK, Radia or even Lumension.. Good luck...

    As for the person who mentioned that it is the distribution of such attacks that would be the problem... get with the program. Nowadays its all about the targetted attack. The attacker knows who he wants to go for and will have everything up and running very quickly indeed.

    Patch, and patch quickly.

    I reccomend BigFix together with Skybox or Red Seal networks. Find where you need the patches FAST, then identify what you can do obfuscate the risk, then patch where you need to.

    (and no, I dont work any of them - unfortunately)

  26. Olivier
    Linux

    oen source attack

    Clearly this is an argument against open source code, which has no way to protect itself against this kind of threat..

    The Reg should add a dead penguin picture.

    Anyway, as many people already said there, hackers and security professionnals are doing this for ages. Reducing the number of bugs and vulnerabilities in closed and open source, increasing the speed at which fixes are released AND applied, looks the only sensible approach.

This topic is closed for new posts.