DeepSec 2015 Talk: “Yes, Now YOU Can Patch That Vulnerability Too!” A short Interview with Mitja Kolsek
Patching software is a crucial task when it comes to fixing security vulnerabilities. While this totally works, usually you have to wait until the vendors or the developers provide you either an upgrade or a patch. What do you do in the meantime? Reducing the exposure of the software helps, but sometimes you have no choice. Public interfaces are public. There’s help. Do it yourself! Mitja Kolsek will tell you more.
Please tell us the top 5 facts about your talk.
- We want to shake the security world by introducing a simple twist and essentially reinventing software patching.
- Attackers’ main advantage comes from software vulnerabilities (often very old and long-patched ones), which are a critical ingredient of most breaches into corporate and government networks.
- Unfortunately, most software vendors are lacking economical motivation for providing patches, let alone pro-actively looking for vulnerabilities in their own software. At the same time, administrators are careful about applying updates because they sometimes break functionalities and products, and often require computer restarts, which requires lots of testing and delays the removal of vulnerabilities for weeks or even months.
- We’ve developed a technology that allows security researchers to create microscopic patches which home users and administrators can apply to – or remove from – applications’ images in memory, instantly and without any restarts or reboots. This minimizes the inherent risk of patching and completely removes the downtime otherwise associated with installing and uninstalling a patch.
- I’ll demonstrate how a security researcher can turn a typical remote code execution vulnerability into a working micropatch, and how this micropatch is instantly applied to – and removed – from a running application.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
In our penetration testing engagements, our team has been successfully breaking into our customers’ networks for over 15 years – always using the same method over and over again: selecting a relatively fresh vulnerability with a publicly-known exploit, tailoring the exploit to work with our remote control tool, and phishing customer’s users until someone with a vulnerable computer visited our “malicious” web site. Although many end-point security products and solutions have emerged to combat this attack vector, we (and real attackers) are still always able to bypass them with little effort.
Our technology, called “0patch”, grew from our frustration with the fact that essentially nothing has changed in 15 years to make attacks on networks harder. It is irrational to expect software vendors to start behaving irrationally themselves, so we decided to introduce a new actor to the patching process: a global crowd of security researchers. They will now be able to create patches for vulnerabilities they find and get paid for these patches by the users who apply them.
Why do you think this is an important topic?
While software patching does not sound like an exciting innovative topic, we believe its current form is the sole most important flaw in IT security, and nothing else the industry does can have much impact without fixing this.
Is there something you want everybody to know – some good advice for our readers maybe? Except for “come to my talk”?
Come to my talk… to get a free beta account and start creating your own micropatches! 🙂
Besides that, I’d like everyone to know that there is a better way to approach patching for everyone (users, admins and software vendors), a way that is not so slow, expensive, risky and sporadic as we’ve grown accustomed to. This talk is your opportunity to not just see how fixing vulnerabilities can dramatically improve, but also become part of the solution by learning how to create micropatches.
A predicition for the future – what do you think will be the next innovations or future downfalls when it comes to particularly your field of expertise / the topic of your talk?
In the future we see automated vulnerability finding augmented with micropatching (which we’re already successfully experimenting with), micropatching of IoT devices and software vendors beginning to use micropatching for quickly fixing their critical vulnerabilities. In our wildest dreams we also see compilers generating immediately-applicable micropatches for code that has been changed from the previous build, and micropatching becoming a standard no-brainer solution for everyone
Mitja Kolsek is the CEO of ACROS Security and co-founder of 0patch. His 15-year infosec career comprises co-running a small security outfit which ran APT-like attack simulations before China was guilty of everything, used SQL injection before it had a name, and discovered vulnerability types which were previously unknown. In contrast to just finding and exploiting vulnerabilities, his next 15 years will be augmented by fixing them. Most of all he’d like to leave information security some day in a state where it’ll be darn difficult to break into a typical network deploying standard and inexpensive security solutions.