If you won't patch your software these guys will

What happens if you’re a vendor that’s slow to patch a known flaw? It’s possible that someone else may step in and do it for you. That’s what has been happening for the past few months with products from vendors such as Adobe and Microsoft.

Most recently, Slovenian security consulting firm Acros Security stepped in with a third-party patch for an issue with Microsoft’s gdi32.dll in Windows 10.

Google’s Project Zero security team discovered the bug in March 2016. Microsoft patched it, but incompletely, according to Google’s researchers, who posted updated information in November. When Microsoft had failed to fix the problem as of February 2017, the 90-day disclosure deadline in Google’s November document kicked in, with proof of concept code, making the vuln public.

Microsoft scrambled to fix the bug, but in the meantime Acros released a small patch, effectively the size of a tweet, which prevented attackers from exploiting that vulnerability.

Not your grandma’s software patch

You might worry about companies applying unauthorized patches to a vendor’s code. After all, if you tinker with a software application’s binary, you might cause more harm than good. You could introduce a flaw, or at the very least create licensing and warranty issues. However, Acros co-founder Mitja Kolsek is at pains to point out that these are ‘micropatches’, different to conventional software updates. Hence the name for its micropatching project: 0patch.

“We don’t touch the binary at all,” he explains. “These micropatches are only applied in memory.” An agent created by Acros runs in memory and watches for vulnerabilities that it can micropatch.

Micropatches won’t detect malware already installed, he clarifies; it’s blocking malware that targets a particular exploit when trying to install itself on the system.

Launched as a beta in June 2016, 0patch uses ‘function hooking’ – a technique long known to anti-malware vendors- to inject extra instructions when running an application binary. The micropatch, typically less than 140 characters long, includes the extra instructions (typically only be a line or two), and a binary offset (effectively the location in memory to inject the instructions).

For this reason, it isn’t designed to replace traditional software patches.

“Large code corrections would still have to be done for many design and functional flaws. Not everything can be patched with micropatches,” Kolsek explains. “But ideally Microsoft would be able to go from monthly Patch Tuesdays to bi-monthly or tri-monthly Patch Tuesdays.”

Reducing this heavy lifting would be a happy thing for many companies, who are otherwise faced with a testing and change management burden as they rush to ensure that new software patches don’t break anything.

Dangerous software patches are more common than you might think. In 2014, Microsoft had to patch its own patch after it effectively broke Windows 7. A year prior, a Java update for a mainstream exploit broke legacy applications after it effectively deleted a previous version of Java.

As patching methodologies evolve, change management becomes increasingly difficult for companies. Microsoft now uses patch bundles in Windows 10, which lumps several patches together. This means that a problem with a single patch can cause a delay for the whole bundle, which is what happened in February 2017 when Microsoft delayed its entire bundle.

There’s another angle to this, points out Ollie Whitehouse, technical director at security services company NCC Group: end of life systems. Some people refuse to upgrade systems, even when vendors withdraw support.

“There will be an increasing market in all of those legacy systems’ security maintenance,” he says. “It’s an entirely valid strategy. The beauty of that is that the rich firms will be willing to pay to keep them going.”

Acros is already patching unsupported systems. Last month, it released a patch via 0patch for CVE-2017-7269, a vulnerability in Windows Server 2003 running WebDAV. Microsoft no longer supports that product, making the server officially unpatchable, so this would be the only way to fix the problem (save for turning off WebDAV, presumably).

Acros has released around 300 patches to date, covering everything from Java Runtime to Adobe Reader, Firefox and OpenSSL. It wants software vendors to use its agent as a kind of interim patching mechanism, and is also courting security researchers to develop their own micropatches. The agent software is free for now, as it’s in beta.

“We want as many people as possible to know about this technology and start using it,” Kolsek says. Acros is talking to endpoint security vendors about including the tech in their products.


Bookmark and Share