Slashdot Mirror
Windows Update Can Hurt Security
An anonymous reader writes "Researchers at Carnegie Mellon University have shown that given a buggy program with an unknown vulnerability, and a patch, it is possible automatically to create an exploit for unpatched systems. They demonstrate this by showing automatic patch-based exploit generation for several Windows vulnerabilities and patches can be achieved within a few minutes of when a patch is first released. From the article: 'One important security implication is that current patch distribution schemes which stagger patch distribution over long time periods, such as Windows Update... can detract from overall security, and should be redesigned.' The full paper is available as PDF, and will appear at the IEEE Security and Privacy Symposium in May."
Windows _____________ Can Hurt Security
Profitability is key, not security. Think of sysadmins as janitors. We pay you to wipe up the mess. It's not worth our while to invest in systems that don't create a mess as long as janitors are cheap enough to come with their electronic mops and buckets.
And you are.
Sorry.
Steam has no problem distributing games to players so that they can all unlock them on release day. All you have to do is preload the patch with staggered downloads but not send out the key until the same time. Then all machines can decrypt and patch and install them at roughly the same time, helping to greatly cut down on the time between when the patch can be figured out and the time that machines are still vulnerable.
Not fool-proof, of course, but it seems like something Microsoft should seriously consider doing.
You can't overwrite a file that's in use by Windows. You can overwrite a file that's in use by Linux. The old image is still there. Any new processes loading the file will get the new version, and any old processes which still have a file handle to the old file get to use the old image.
I don't know if that's the whole reason, but I bet that it's part of it.
This is fascinating. As someone who's worked with automatic theorem proving and proof of correctness techniques, I'd never thought of using them in this way.
What they're doing works like a proof of correctness system in reverse. They difference executables before and after the patch (which in itself is impressive), then, having isolated the patch, analyze it automatically. Security patches usually consist of adding a test which constrains the valid inputs at some point. So they use a symbolic decision procedure, which is part of a theorem prover, to work back through the code and automatically derive a set of inputs that would be caught by the new test.
This is more than just an attack on Windows Update. It's true automated exploit generation.
This is potentially applicable to any security-critical code that changes over time. One could, for example, have something that watched check-ins to the Linux kernel tree and developed new exploits to current stable releases from them.
I think you actually missed the worst part about this summary (not the article...)
From the summary: "Such as Windows Update... can detract from overall security, and should be redesigned."
The ellipse represents 14 pages of information in this sentence. And the Actual PDF doesn't say it detracts from security, but rather that the scheme is insecure. Which is quite a difference. Normally I don't do this, but the quote is really stupid when put the way the contributor or editor put in there. The article was interesting enough on its own accord (automatic patch-exploit generation) without having to throw your own personal cracks in there.
Let's grow up, people.