Hackers exploit Windows patches

[MrLinus]

Pooh, I take it back. MS will keep me employed for a long time.


Attitude is sometimes the necessary thing in Security and your attitude toward it (not you Pooh, I'm using "you" in the general sense) can either help make you more secure and make you more vulnerable. Unfortunately, this article caused me to laugh up my Diet Coke all over my laptop keyboard. I hope MS' PR department will pay for a new one. (I added the bolding to the necessary areas).


Source

Malicious hackers and vandals are lazy and wait for Microsoft to issue patches before they produce tools to work out how to exploit loopholes in Windows, say experts.

Exploits get written once patches appear

Instead of working it out for themselves, malicious hackers are reverse engineering the patches to better understand the vulnerabilities, said David Aucsmith, who is in charge of technology at Microsoft's security business and technology unit.

In a keynote speech to the E-Crime Congress organised by Britain's National Hi-Tech Crime Unit, Mr Aucsmith said the tools that hackers were producing were getting better and shrinking the time between patches being issued and exploits being widely known.

"We have never had vulnerabilities exploited before the patch was known," he said.

Tools of choice

A good example of this phenomenon, he said, was the recent ASN1 "critical vulnerability" that Microsoft produced a patch for in early February.

The vulnerability was discovered by Eeye Digital Security in July 2003 but no exploits were produced until three days after Microsoft's patch became available.

"Many people reverse engineer the patch and then build the exploit code," said Mr Aucsmith.

Malicious hackers were greatly aided by improvements in tools that did a better job of working out what patches did.

Firms have less time to react to vulnerabilities

He said tools were available that compared patched and unpatched versions of Windows to help vandals and criminals work out what was different.

"The guys who write the tools would not consider themselves to be criminals by any measure," he said, "but the tools are also being picked up by people with criminal intent."

Mr Aucsmith said he could only think of one instance when a vulnerability was exploited before a patch was available.

"It's a myth that hackers find the holes," said Nigel Beighton, who runs a research project for security firm Symantec that attempts to predict which vulnerabilities will be exploited next.

He said in many cases the appearance of a patch was the spur that kicked off activity around a particular vulnerability.

Many different malicious hackers and hacking groups competed to see who could be the first to produce a virus or other program that could work with the known hole, he said.

Mr Aucsmith urged companies to keep up with patches because the time they had to react before hackers released exploits was shrinking.

Newer operating systems were also more secure than older programs such as Windows 95 which, when it was first released, had no security features in it at all.

"Almost all attacks against our software are against the legacy systems," he said.

"If you want more secure software, upgrade."

[SDK]

"If you want more secure software, upgrade."

PRICELESS!!!!

[alphabetarian]

That's kinda funny...yet scary at the same time.

But I wonder which comes first for open source OSes...the discovery of the whole and the subsequent patch or the exploit? Any thoughts or experience?

alpha

[MrLinus]

I would say that regardless of the OS, there are "0day" exploits in the wild and that any patches/updates/hotfixes are reversed engineered. It is not MS specific for that to exist. But as someone pointed out, there may be an appearance that exploits are released after patches since those that discover the holes don't necessarily do "full disclosure" and wait for MS to response to it first.

IMHO, I think this article and statement might lead some of the more general users to think that there is no risk as long as they have patches and not worry about security outside of patching a system. In addition, the statement that it is only legacy software might lead some to think that having a default install of XP or 2003 makes them secure as long as they are patched up the proverbial "wazoo". Personally, I think this sends a misinformed message to users about what they need to be aware of.

Users should be told that no matter when a patch is released there is always a risk. It doesn't need to be a panic statement but a general education statement. Time and again, we know that an educated user is at least somewhat better than an uneducated one when it comes to security.

[ric-o]

MsM, thanks for the laugh...and scare.

Yeah, this happens to the open source OS's too. I heard that when new open source patches are released, hackers analyze them doing differential comparisons against existing code to see what was fixed. Then they write exploits based on what was fixed. So then the open source community got wise and released patches with TONS of lines in it and fixing many bugs in order to hide (re. obscure) the nasty bugs that were fixed.

[Maestr0]

This is not suprising to me in the slightest. It is much easier to have something to base code on than to start from scratch. One of the E-eye team sent an e-mail on a mailing list I get(sorry can't recall which one of the trillion) saying how the ASN.1 packets from Retina had a an encrypted watermark of "eEye2004" which mysteriously found its way into the ASN.1 vuln check for Nessus. They just ripped the packets straight from Retina. Dirty Trick? Maybe. Hella Easier? You know it.

-Maestr0