The Threat From Reverse-Engineering Patches

Some people think that malware writers and malicious computer attackers sit around sifting through computer code looking for new and creative ways to exploit and compromise their systems. Security researchers work diligently to discover flaws and security holes and report them to vendors, often in part for the glory and name recognition of finding it first. But, often the attackers don't have that much initiative. It is much easier to wait for a patch to be released and just look at the code in the patch. Rather than tearing the whole program apart, they can reverse engineer the patch to determine what it does, thereby identifying where the flaw exists in unpatched systems. That starts the clock ticking in the race between applying the patch and having an exploit created to compromise vulnerable systems. I first wrote about reverse-engineering Microsoft patches in an article from February of 2004, but with new tools the time between patch release and functional exploit is decreasing rapidly. According to an article in SecurityFocus, using a tool such as BinDiff from SABRE Security, the differences between the original and patched code can be identified in meer minutes and an effective exploit created in under a day. For more about reverse-engineering patches, see Robert Lemos' article "Reverse engineering patches making disclosure a moot choice?