Fog Creek Software
g
Discussion Board

Hackers reverse engerneering patches...

David Aucsmith from MS's security unit is quoted as saying hackers are reverse engineering patches from MS in order to exploit vulnerabilties.  Aunty Beeb's report is here: 

http://news.bbc.co.uk/1/hi/technology/3485972.stm

So after Patch Wednesday, we'll get Exploit Friday and Virus Monday.  Oh joy...

a cynic writes...
Thursday, February 26, 2004

That pretty much goes without saying.  As the article points out, most exploits have come out after the patches to fix them.  Releasing a security patch has the unfortunate side-effect of alerting people with malicious intent that a problem exists. 

My guess would be that many of the recent big news exploits would never have happened if there wasn't a patch released that announced the existence of the flaws.  I think it was MSBlast where there was about a month between the patch being released and then the exploit being released.  It's a catch-22.  You can't openly and honestly fix a security hole without alerting people to the existence of the security hole. 

SomeBody
Thursday, February 26, 2004

The patch releasers should ship a patch to a problem that doesn't exist. That way the hackers are spinning their wheels trying to hack nothing...

Gotta go.

--
ee

eclectic_echidna
Thursday, February 26, 2004

Eh ...

Of course a lot of exploits are constructed when patches go live. That doesn't change the fact that most of these are known by black hats long before.

Most of the really bad remote exploits we had this autumn was discovered from forensics of owned boxes. This is true both for Windows and Linux.

Just because an exploit hasn't had very wide circulation doesn't mean you're safe. It depends on what you are protecting against? A motivated hacker or just the latest worm?

Is one million worm infections worse than a directed attack? It depends on who you are. People don't write worms on unpublished exploits. Those secrets are valuably traded on the underground scene. Why give them away when worms written from published exploits works "good enough"?

Do you feel more secure only because a particular exploit hasn't been posted to Bugtraq yet?

Jonas B.
Wednesday, March 3, 2004

*  Recent Topics

*  Fog Creek Home