Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows Update Can Hurt Security

Posted by kdawson on from the manufacturing-exploits-on-internet-time dept.

An anonymous reader writes "Researchers at Carnegie Mellon University have shown that given a buggy program with an unknown vulnerability, and a patch, it is possible automatically to create an exploit for unpatched systems. They demonstrate this by showing automatic patch-based exploit generation for several Windows vulnerabilities and patches can be achieved within a few minutes of when a patch is first released. From the article: 'One important security implication is that current patch distribution schemes which stagger patch distribution over long time periods, such as Windows Update... can detract from overall security, and should be redesigned.' The full paper is available as PDF, and will appear at the IEEE Security and Privacy Symposium in May."

20 of 220 comments (clear)

  1. Quiz by Lord+Grey · · Score: 5, Funny
    Fill in the blank:

    Windows _____________ Can Hurt Security
    1. 1) "Applications"
    2. 2) "Network Connectivity"
    3. 3) "Update"
    4. 4) "Users"
    5. 5) ""
    --
    // Beyond Here Lie Dragons
    1. Re:Quiz by 4D6963 · · Score: 5, Funny

      Fill in the blank:

      Windows _____________ Can Hurt Security

      1. 1) "Applications"
      2. 2) "Network Connectivity"
      3. 3) "Update"
      4. 4) "Users"
      5. 5) ""

      1. 6) "Profit"?
      --
      You just got troll'd!
  2. Doesn't matter by Z00L00K · · Score: 4, Insightful
    You can never distribute patches synchronously to all the PC:s in the world. And you can't hide what the patch fixes.

    You are damned either way. The only way to avoid complete damnation from security vulnerabilities is to run a large number of different operating systems, but then you are damned to live a life in complete confusion about system maintenance instead.

    The onion principle is a general security term that has been defined a long time ago, but the fact that we are all online in some way or another all the time means that the onion is rotten.

    --
    If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    1. Re:Doesn't matter by Loether · · Score: 4, Insightful

      I admit I didn't rtfa. however if you use bittorrent or a similar system everyone downloading at the same moment would work better and faster. Everyone would have the patches very close to the same time. At the very least that would decrease the amount of time a potential attacker has to attempt this.

      --
      TODO create witty sig.
    2. Re:Doesn't matter by Anonymous Coward · · Score: 5, Insightful

      You can never distribute patches synchronously to all the PC:s in the world. True enough.

      And you can't hide what the patch fixes. Wrong. You can encrypt the patch.

      Steam has no problem distributing games to players so that they can all unlock them on release day. All you have to do is preload the patch with staggered downloads but not send out the key until the same time. Then all machines can decrypt and patch and install them at roughly the same time, helping to greatly cut down on the time between when the patch can be figured out and the time that machines are still vulnerable.

      Not fool-proof, of course, but it seems like something Microsoft should seriously consider doing.
    3. Re:Doesn't matter by Sancho · · Score: 5, Insightful

      You can't overwrite a file that's in use by Windows. You can overwrite a file that's in use by Linux. The old image is still there. Any new processes loading the file will get the new version, and any old processes which still have a file handle to the old file get to use the old image.
      I don't know if that's the whole reason, but I bet that it's part of it.

    4. Re:Doesn't matter by Ahnteis · · Score: 4, Insightful

      99% of PCs are NOT:
      1) Turned on
      AND
      2) Connected to the internet
      at the ANY one time. It doesn't matter if it's 1 packet or 150 packets if the computer is off or not currently connected.

    5. Re:Doesn't matter by Vellmont · · Score: 4, Insightful


      are you 100% sure you're not still running some vulnerable code?

      If I've restarted the server process, yes.

      What if bash had a vulnerability, and you installed the new version but old bash processes were still running?

      I'd kill all bash processes.

      if you're really lucky then the package manager will know to restart the service after installing a new version.

      That's been quite standard for a long time. I know Redhat includes that in their RHEL distribution. So I wouldn't exactly call that "really lucky"

      But how confident are you that everything is covered?

      Unless it's something critical like a shared library vulnerability, very confident. In the case of a shared lib, it might be easier to just reboot the machine than restarting all the various processes. But at least you have a choice in the matter, which 9/10 of the time you simply don't with Windows.

      --
      AccountKiller
  3. Worst possible way to critize Windows Updates by pembo13 · · Score: 4, Insightful

    There is no good solution to this problem -- that fixing something makes it easier to find old problems. At some point, users need to be responsible enough to apply updates.

    --
    "Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
    1. Re:Worst possible way to critize Windows Updates by realthing02 · · Score: 5, Insightful

      I think you actually missed the worst part about this summary (not the article...)

      From the summary: "Such as Windows Update... can detract from overall security, and should be redesigned."

      The ellipse represents 14 pages of information in this sentence. And the Actual PDF doesn't say it detracts from security, but rather that the scheme is insecure. Which is quite a difference. Normally I don't do this, but the quote is really stupid when put the way the contributor or editor put in there. The article was interesting enough on its own accord (automatic patch-exploit generation) without having to throw your own personal cracks in there.

      Let's grow up, people.

  4. update this, fuckers by Anonymous Coward · · Score: 5, Insightful

    Profitability is key, not security. Think of sysadmins as janitors. We pay you to wipe up the mess. It's not worth our while to invest in systems that don't create a mess as long as janitors are cheap enough to come with their electronic mops and buckets.

    And you are.

    Sorry.

    1. Re:update this, fuckers by somersault · · Score: 4, Insightful

      Meh, don't come crying to me when some guy in [insert-evil-country-here] steals your identity, uses it to buy a few Porsche's and setup illegal goat kid porn themed websites in your name. You keep making your messes, I'm happy to make $50000 a year cleaning them up as long as it doesn't happen more than two or three times a year..

      --
      which is totally what she said
  5. Windows bashing aside ... by utnapistim · · Score: 4, Insightful

    ... patch based security is also the model linux uses (as far as I understand).

    Furthermore, for Linux access to the unpatched code is also easy to obtain.

    Somebody please correct me if I'm mistaken.

    --
    Tie two birds together: although they have four wings, they cannot fly. (The blind man)
  6. How is this limited to Windows? by analog_line · · Score: 4, Insightful

    Couldn't this process (modified of course) do the same thing to any update for any software at all?

    How exactly is this news? I mean, I should update my software when there's a new patch anyway, but now that THIS has been developed I...need to update my software when there's a new patch... Automating it is a pretty neat trick, and it pretty much destroys any argument for security through obscurity, since it means you couldn't patch any hole to maintain the obscurity, but it's not like security through obscurity in the computer software realm has that amazing a track record in any case.

  7. From the PDF: by TripMaster+Monkey · · Score: 4, Informative

    The PDF outlines three methods of alleviating the problem of staggered patch distribution:

    1) Patch Obfuscation: basically an attempt to hide exactly what the patch fixes by padding out the patch with a lot of lines of nonsense. While this might prove effective, it would only be effective until an improved algorithm for discerning the true reason for the patch is found, and in the meantime, it would create its own set of problems, particularly if the level of obfuscation required balloons the size of the patch to an unmanageable degree.

    2) Patch Encryption: basically distributing the patch in an encrypted format, waiting until it is reasonable to assume that everyone has the patch, and then transmitting a decryption key to decrypt and apply the patch more or less "simultaneously". Problems: this only pushes the problem back one level; meaning the same method of exploitation is just as possible, while this also creates an unacceptable time lag for patches to be applied, which hackers who write exploits the old-fashioned way can exploit to their considerable benefit.

    3) Fast Patch Distribution: basically leveraging technologies like P2P to insure that patches are rolled out...well...fast. Problems again include off-line hoists, as well as hosts who have the misfortune of being on ISPs that take a dim view of P2P.

    In summary, none of the methods outlined have much of a chance to combat this new threat.

    --
    ____

    ~ |rip/\/\aster /\/\onkey

  8. No fix feasible by Todd+Knarr · · Score: 4, Interesting

    Unfortunately, no fix is feasible. The basic problem is twofold:

    • If you tell someone how to fix a problem, you tell them what the problem was.
    • It's not possible to push updates to all affected systems simultaneously.
    That the first is true should be obvious if you think about it for a minute. As for the second, that comes from the fact that the affected systems are owned by different entities with different requirements and different environments. A fix for a problem affects more than just the fixed software, especially when the fix is in the operating system on which other business-critical software runs. Any fix has to be checked for compatibility with that entity's specific environment, this checking can't start until after the entity has gotten the fix, and everybody's going to take a different amount of time to check and get clearance to deploy.

    The only "fix" would be a mandatory push to all systems at one time, and that won't be accepted by the people who own the systems unless Microsoft or someone else accepts complete 100% liability for all costs associated with any failure. And I just don't see that happening.

  9. Automatically deriving exploits by theorem proving by Animats · · Score: 5, Informative

    This is fascinating. As someone who's worked with automatic theorem proving and proof of correctness techniques, I'd never thought of using them in this way.

    What they're doing works like a proof of correctness system in reverse. They difference executables before and after the patch (which in itself is impressive), then, having isolated the patch, analyze it automatically. Security patches usually consist of adding a test which constrains the valid inputs at some point. So they use a symbolic decision procedure, which is part of a theorem prover, to work back through the code and automatically derive a set of inputs that would be caught by the new test.

    This is more than just an attack on Windows Update. It's true automated exploit generation.

    This is potentially applicable to any security-critical code that changes over time. One could, for example, have something that watched check-ins to the Linux kernel tree and developed new exploits to current stable releases from them.

  10. Ok, it's bad. Got any better ideas? by Opportunist · · Score: 4, Insightful

    If you have a patch, you can diff the original and the patched file and find out what got fixed. No secret here.

    So how can you close the gap between fixing and exploiting? That's nothing MS could fix. You have to. Patch early, patch often.

    If any message is contained here, it's that if there is a patch out and you didn't use it, you're extremely vulnerable. That's pretty much it, nothing really new here.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  11. Which just shifts the problem. by Ungrounded+Lightning · · Score: 4, Interesting

    Or distribute encrypted patches over the course of a day, then when you publish the key everyone can update

    Which shifts the problem from distributing the update to distributing the key.

    Of course this does have another advantage: Distributing the encrypted update also distributes notification that there WILL be a key, and can tell the users when. Then it becomes a race to get the key and apply the patch before the bad guys can get the key, generate, and deploy an exploit.

    And the downside: The bad guys also know the patch is coming, and when. So they can use their existing botnet(s) to grab a key as soon as possible, then DDOS the key distribution mechanism while they generate and deploy the exploit. This makes things WORSE: A much larger fraction of the machines are vulnerable when the exploit deploys.

    Still worse: If the bad guys crack the encryption, or manage to break in and grab the key early, they get to automatically generate and deploy an exploit while NOBODY has the fix. Oops!

    Ditto even if they don't crack the patch - but the patches exposes that a vulnerability exists and perhaps what module has it, and they find and exploit the vulnerability before the key deploys.

    = = = =

    In a battle between weapons and armor, weapons eventually win.

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  12. Re:Nope. That's a logic error. by RiotingPacifist · · Score: 4, Insightful

    Nope. If that were correct, then Apple would see 5% (or so) of the "virus" development out there. You have to put alot of work into making an exploit, do you choose to put that work into something that gives you 90% or 5% returns. Its not like if there were 100 hackers and they all decide to pick on 100 machines at random, no they all try to infect the most machines possible (you need to infect 6% of Windows machines to have the same effect as writing an exploit so good it infects every mac machine), and that means all 100 hackers will go for windows!

    While Apple may be more secure, until you get 50% market share your not going to get 50% of the effort put into attacking you.

    --
    IranAir Flight 655 never forget!