Update: 4_25_2008: Added link for updated article based on review of APEG paper (here)
Security Focus has an article describing a system for reverse engineering Microsoft patches to determine deltas between binaries and automagically developing exploit code within seconds (here)
The technique, which the researchers refer to as automatic patch-based exploit generation (APEG), can create attack code for most major types of vulnerabilities in minutes by automating the analysis of a patch designed to fix the flaws, the researchers stated in a paper released last week. If Microsoft does not change the way its patches are distributed to customers, attackers could create a system to attack the flaws in unpatched systems minutes after an update is released by the software giant, said David Brumley, a PhD candidate in computer science at Carnegie Mellon University.
Honestly I am surprised someone hadn’t already developed such a system, you would think the folks at Bluelane would have one running in their lab. Anyway, there is little doubt that the time to protect against dynamic threats is decreasing and minutes matter. However the reality is that most organizations can barely patch within the 3-6 weeks using their crappy version of SMS/SCCM, so really what’s the difference between seconds, minutes, hours, days or weeks? And how should an organization deal with, what we already knew were, dramatically shorter times to protect?
Well, first is to note that the old scan and patch model is broken (here), that’s not to say that patch management isn’t important – it is critical! however the immediate response to exploit code in the wild may not always be to distribute a patch, but to shield against the threat by mitigating the vulnerable condition. Essentially the response should be shield then remove the root cause, which in most cases becomes shield the environment and then patch, upgrade or remove the vulnerability or exposure.
Scan and patch = ineffective
Define policy, audit against policy, enforce policy + shield against emerging threats, then eliminate root cause = effective
So how does an organization shield against attack? They must incorporate and facilitate coordination of all network and host-based technologies as part of their vulnerability and threat management program. Of course this level of organizational command and control would require technologies, like BigFix (here), and processes that support rapid modification to environmental variables. But how is that different from delivering a patch quickly you ask, well, modifying a firewall, host or network based, to block ingress or egress traffic on a particular port is far easier and timely than trying to deploy a patch, not to mention rolling back the change requires far less effort and environmental disruption than other mitigating factors.