Feeds

Reverse engineering patches making disclosure a moot choice?

Darned if you do. Darned if you don't

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

When Microsoft released limited information on a critical vulnerability in Internet Explorer last month, reverse engineer Halvar Flake decided to dig deeper.

Using his company's tool for analyzing the differences in the patched and unpatched versions of a program, Flake pinpointed the portable networked graphics (PNG) vulnerability that Microsoft fixed with its latest update, locating the specific changes in less than 20 minutes.

"The PNG patch (is) excellent for a demo," he said. "It's a small (piece of code), which means quick comparison, and the bug is easily understandable for a laymen, too."

While Flake - who is also CEO of security software firm SABRE Security- had been searching for a good way to show off the company's binary difference analysis tool BinDiff, the demonstration is just the latest example illuminating how fast patches can be reverse engineered to reveal vulnerable code.

In a paper published in early June, SABRE researchers discussed how they had pinpointed, in less than 30 minutes, the flaw fixed by a Microsoft update to the Secure Sockets Layer (SSL). A reliable exploit for the flaw was created in less than 10 hours. In another example in the paper, the tool was used to discover in less than three hours that Microsoft had corrected a communications vulnerability in the Internet Security and Acceleration (ISA) Server, but had missed the same vulnerability in other parts of the system.

While Flake stressed that binary difference analysis, or "binary diffing," has many other uses - such as finding the changes in virus variants and detecting intellectual property violations in software - an increasing number of security researchers use the technique to find the flaws patched by software updates.

"We have reached the point where the patch is as revealing as an advisory," said David Aitel, principal researcher and CEO of security firm Immunity.

Aitel stresses that the technique has been used for several years, but adds that the availability of more user-friendly tools, such as BinDiff and IDA Pro, has broadened the pool of people that now have access and the knowledge to do the technique.

"You have to assume that we are all doing it," he said.

For software makers, the trend in reverse engineering makes releasing patches a problem: A malicious coder might reverse engineer the patch and build an exploit before a significant fraction of customers can apply the fix.

"It is really a darned if you do, darned if you don't," said Mary Ann Davidson, chief security officer for database maker Oracle.

To make it harder on reverse engineers, Oracle only supplies patches to customers, she said. However, she is under no illusions that serious attackers would not be able to get their hands on a patch to reverse engineer.

Still, binary analysis is still not common enough for Oracle to change its patching process, Davidson said.

"I don't see this immediately being a threat, but you have to plan for the future and not just after you suffer an attack," she said.

Microsoft also acknowledged that, in at least some cases, the time it takes to reverse engineer patches is decreasing. However, the company stressed that increased adoption of patching technology has reduced the time that users' computers are vulnerable.

"The release of a software update helps provide a solution for customers, whereas the public release of vulnerability details without an associated update only puts customers at risk," the software said in a statement sent to SecurityFocus.

Moreover, even with good tools, the process of analyzing code for a vulnerability is not easy, said HD Moore, a security researcher for Digital Defense.

"Actually tracing through the code to figure out how to get to that vulnerable function can still take some time," Moore said. "In term of how bad it is versus a technical advisory, I would much prefer a nice technical rant ... over having to kill six hours digging through (code)," he said.

Security companies have frequently pointed to circumstantial evidence that the time between the release of a patch and the publication of an exploit has decreased. The increase in binary difference analysis could explain that trend, even though there is no evidence connecting the two. After the first papers discussing the techniques were published over a year ago, there was no large spike in attacks, said SABRE Security's Flake.

In the end, whether better binary analysis means that more companies will inadvertently be disclosing flaws by publishing patches should not matter, Flake said.

"Many people seem to pour time into the disclosure debate that should be spent elsewhere," he said. "It's fruitless and boring and has been for a few years."

Copyright © 2005, SecurityFocus logo

Related stories

New hybrid storage solutions

More from The Register

next story
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.