Feeds

Reverse engineering patches making disclosure a moot choice?

Darned if you do. Darned if you don't

  • alert
  • submit to reddit

Build a business case: developing custom apps

When Microsoft released limited information on a critical vulnerability in Internet Explorer last month, reverse engineer Halvar Flake decided to dig deeper.

Using his company's tool for analyzing the differences in the patched and unpatched versions of a program, Flake pinpointed the portable networked graphics (PNG) vulnerability that Microsoft fixed with its latest update, locating the specific changes in less than 20 minutes.

"The PNG patch (is) excellent for a demo," he said. "It's a small (piece of code), which means quick comparison, and the bug is easily understandable for a laymen, too."

While Flake - who is also CEO of security software firm SABRE Security- had been searching for a good way to show off the company's binary difference analysis tool BinDiff, the demonstration is just the latest example illuminating how fast patches can be reverse engineered to reveal vulnerable code.

In a paper published in early June, SABRE researchers discussed how they had pinpointed, in less than 30 minutes, the flaw fixed by a Microsoft update to the Secure Sockets Layer (SSL). A reliable exploit for the flaw was created in less than 10 hours. In another example in the paper, the tool was used to discover in less than three hours that Microsoft had corrected a communications vulnerability in the Internet Security and Acceleration (ISA) Server, but had missed the same vulnerability in other parts of the system.

While Flake stressed that binary difference analysis, or "binary diffing," has many other uses - such as finding the changes in virus variants and detecting intellectual property violations in software - an increasing number of security researchers use the technique to find the flaws patched by software updates.

"We have reached the point where the patch is as revealing as an advisory," said David Aitel, principal researcher and CEO of security firm Immunity.

Aitel stresses that the technique has been used for several years, but adds that the availability of more user-friendly tools, such as BinDiff and IDA Pro, has broadened the pool of people that now have access and the knowledge to do the technique.

"You have to assume that we are all doing it," he said.

For software makers, the trend in reverse engineering makes releasing patches a problem: A malicious coder might reverse engineer the patch and build an exploit before a significant fraction of customers can apply the fix.

"It is really a darned if you do, darned if you don't," said Mary Ann Davidson, chief security officer for database maker Oracle.

To make it harder on reverse engineers, Oracle only supplies patches to customers, she said. However, she is under no illusions that serious attackers would not be able to get their hands on a patch to reverse engineer.

Still, binary analysis is still not common enough for Oracle to change its patching process, Davidson said.

"I don't see this immediately being a threat, but you have to plan for the future and not just after you suffer an attack," she said.

Microsoft also acknowledged that, in at least some cases, the time it takes to reverse engineer patches is decreasing. However, the company stressed that increased adoption of patching technology has reduced the time that users' computers are vulnerable.

"The release of a software update helps provide a solution for customers, whereas the public release of vulnerability details without an associated update only puts customers at risk," the software said in a statement sent to SecurityFocus.

Moreover, even with good tools, the process of analyzing code for a vulnerability is not easy, said HD Moore, a security researcher for Digital Defense.

"Actually tracing through the code to figure out how to get to that vulnerable function can still take some time," Moore said. "In term of how bad it is versus a technical advisory, I would much prefer a nice technical rant ... over having to kill six hours digging through (code)," he said.

Security companies have frequently pointed to circumstantial evidence that the time between the release of a patch and the publication of an exploit has decreased. The increase in binary difference analysis could explain that trend, even though there is no evidence connecting the two. After the first papers discussing the techniques were published over a year ago, there was no large spike in attacks, said SABRE Security's Flake.

In the end, whether better binary analysis means that more companies will inadvertently be disclosing flaws by publishing patches should not matter, Flake said.

"Many people seem to pour time into the disclosure debate that should be spent elsewhere," he said. "It's fruitless and boring and has been for a few years."

Copyright © 2005, SecurityFocus logo

Related stories

Endpoint data privacy in the cloud is easier than you think

More from The Register

next story
Microsoft's Euro cloud darkens: US FEDS can dig into foreign servers
They're not emails, they're business records, says court
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Plug and PREY: Hackers reprogram USB drives to silently infect PCs
BadUSB instructs gadget chips to inject key-presses, redirect net traffic and more
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
prev story

Whitepapers

7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?