Reverse Engineering Microsoft Patches in 20 Minutes

Posted by jericho Fri, 24 Jun 2005 20:51:39 GMT

Halvar posted to the DailyDave mail list today showing a brief flash based demonstration of some of his reverse engineering tools. The presentation shows how one can reverse engineer a Microsoft patch using binary diff analysis, and figure out exactly what the vulnerability is, down to the function.

What will this technology and method do, when hundreds (thousands?) of people can reverse engineer a patch that fast, and offer full vulnerability details within minutes of a patch? That type of information would be incredibly valuable to some people, probably for more nefarious purposes. That type of information would be incredible for the security community and vulnerability databases who often have a difficult time seperating issues due to lack of details.

Even more interesting, would this show a more concise history of vulnerabilities in a given vendor’s product that demonstrates the same programs, routines and even functions are found vulnerable repeatedly? Would this help companies identify who should be singled out for additional “secure coding” workshops?

post: http://archives.neohapsis.com/archives/dailydave/2005-q2/0377.html demo: http://www.sabre-security.com/products/flashbindiffpng.html

Posted in  | 1 comment

Comments

Leave a response

  1. jericho said 6 days later:

    http://www.securityfocus.com/news/11235

    Reverse engineering patches making disclosure a moot choice? Robert Lemos, SecurityFocus 2005-07-01

    When Microsoft released limited information on a critical vulnerability in Internet Explorer last month, reverse engineer Halvar Flake decided to dig deeper.

    [..]

    In a paper published in early June, SABRE researchers discussed how they had pinpointed, in less than 30 minutes, the flaw fixed by a Microsoft update to the Secure Sockets Layer (SSL). A reliable exploit for the flaw was created in less than 10 hours. In another example in the paper, the tool was used to discover in less the 3 hours that Microsoft had corrected a communications vulnerability in the Internet Security and Acceleration (ISA) Server, but had missed the same vulnerability in other parts of the system.

    [..]

    “We have reached the point where the patch is as revealing as an advisory,” said David Aitel, principal researcher and CEO of security firm Immunity.

RSS feed for this post

(leave url/email »)

   Comment Markup Help Preview comment