Defend against patch-based exploits, warns Sans

Automatically generated exploit code from reverse-engineered patches can be countered with centralised configuration management, says the Sans Institute
Written by Tom Espiner, Contributor

Security training organisation the Sans Institute claims centralised patch management can be used to counter the threat of automated, patch-based exploit generation.

The advice, published on Monday, follows the release of research from the University of California at Berkeley, University of Pittsburgh and Carnegie Mellon University that maintains that exploits for vulnerabilities in code can be reverse-engineered from patches and generated automatically.

The paper recommended that software patches be distributed in encrypted form, to reduce the amount of time attackers have to reverse-engineer the patch. However, Sans contributor John Bambenek criticised this approach, saying that the major problem with patching was the time it takes to reboot systems once a patch has been applied.

"The problem with this is that the delay from the time of releasing the patch is not caused from the rolling cycle of downloads but from the need to reboot systems after a patch is applied (most of the time)," wrote Bambenek. "In short, a system may still have the key to decrypt a patch but it would not be applied until either the user rebooted the machine or at some default time when a reboot is acceptable (ie, 3am)."

Instead, Bambenek called on systems managers — "the people in the trenches" — to centrally manage patch distribution and other defence measures such as hot fixes and kill bits — Microsoft workarounds to stop unexpected ActiveX execution in Internet Explorer.

"If we get out hot fixes, registry changes, kill bits or any other defence, centralised configuration management allows for the quick deployment of these minor protective changes that will allow you to 'limp along' until a patch can be applied," wrote Bambenek.

However, those managers deploying configuration and patch-management products should be aware that any patch-management application becomes the "absolute most important system in your environment, even more important than those that house trade secrets".

"A configuration-management system becomes a 'single point of 0wnership' that allows an attacker to take direct control over not one machine but an entire organisation, whole and entire," wrote Bambenek. "Protect the keys to the kingdom."

Bambenek also called on software manufacturers to bring out patches that don't require a reboot and for the security researcher community to speedily bring out any necessary workarounds.

"Some patches will require reboots and there will be no way around that. We need to find defences to allow people to protect themselves in the meantime," wrote Bambenek.

Editorial standards