Once you got software, you most probably got yourself some decent bugs. Software vulnerabilities are everywhere. They come with the code. Managing patches and changes is they way of handling these weaknesses. At DeepSec 2015 Mitja Kolsek spoke about a new way of addressing vulnerabilities: „Software vulnerabilities are likely the biggest problem of information security, fuelling a rapidly growing market for “0days”, “1days” and exploits alike. It can be highly intellectually challenging to find a vulnerability and create an exploit for it, and super entertaining to reveal it all to the bug-hungry crowds (preferably along with a logo and a catchy name, courtesy of the marketing department). As a result, there’s been a lot of innovation and progress on the offensive side of information security, and a corresponding defensive industry is thriving providing quasi-solutions that can be bypassed by any motivated attacker.
But almost nothing has changed at the core of the problem: software vendors still produce critical vulnerabilities, aren’t motivated to provide patches, and only a handful of them are capable of responding and delivering a security update when a 0day gets published. And then, when a vendor’s security update is available, it takes weeks or months before it gets applied throughout a corporate network as the risk of interrupting business processes requires testing and gradual deployment.
Now, what if vendors didn’t have a monopoly on patching their code because any vulnerability researcher could write a patch instead of (okay, in addition to) writing an exploit? And what if admins weren’t afraid to apply the patches because patches could be applied instantly without relaunching applications or restarting computer, and could also be instantly un-applied if they turned out to be causing problems?
The technology for this exists, and will allow vulnerability researchers to not only research a vulnerability but also fix it with just a few well-chosen machine code instructions – and monetize their hard work in an unquestionably ethical way.
In this session, we will take apart a known vulnerability, determine its root cause and create a micropatch for it, which will then get applied to the vulnerable application while the application is running. We’ll look at the tools needed for this and hopefully turn some of the exploit developers in the audience into patch creators.Software vulnerabilities are likely the biggest problem of information security, fuelling a rapidly growing market for “0days”, “1days” and exploits alike.…“
We recommend Mitja’s presentation to anyone dealing with software and change management. Patches change something, right?