Hackers Develop Automated Exploits
Researchers at U.C. Berkeley, the University of Pittsburgh and Carnegie Mellon University created automatically generated exploits for five Microsoft programs based on patches provided with the Windows update. By comparing the patched binary to the unpatched binary as a basis for creating exploit code, researchers were then able to develop new techniques to automate the process for exploiting potential vulnerabilities, all of which were addressed by known patches.
Researchers developed exploit techniques as part of a project that attempted to investigate ways cyber criminals might further reduce the patch window -- the amount of time between the public patch release and the time that an exploit is created.
Immediately following the public release of a patch, skilled hackers often use this window to launch attacks against unprotected computers as quickly as possible.
Experts say that so far, the automated exploit process is currently in its early stages and still somewhat unreliable, creating crashes or only DoS type exploits. But while the automated hacks might not have worked in all cases, the study concluded that automatic patch-based exploit generation will likely be a viable method of attack for cyber criminals in the near future.
"A fundamental tenet of security is to conservatively estimate the capabilities of attackers. Thus our results indicate that automatic patch-based exploit generation should be considered practical," said researchers in the report "Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications."
Meanwhile, security experts say that the study's results aren't entirely surprising. Patch windows have been shrinking for a while as technology has become more sophisticated and criminals have become more skilled and organized in their approach, experts say. John Bambenek, SANS Institute Internet Storm Center handler and security researcher at the University of Illinois, said that tools such as Metasploit, used for developing and testing exploit code, have allowed criminals to focus on writing exploits by taking care of other attack details such as access and targeting.
Currently, exploits for known vulnerabilities will generally emerge anywhere between one to three days following the patch release, experts say.
However, that might change once hackers begin using off-the-shelf tools to automate this process. Security experts say that as a result, a successful exploit that might once have taken days, could be significantly reduced to hours or minutes once the patches are made public.
While security experts acknowledged that a few individuals might have access to automated hacking tools, in general they haven't seen widespread use of these tools in the criminal community. That will likely change as cyber criminals become more adept at generating exploits that reverse engineer the released patches and then start infecting vulnerable machines in a matter of minutes.
"As time has gone on, the technique for writing this stuff has become better known. It's still by and large a manual process, but they can reuse a lot of code, reuse a lot of techniques," said Bambenek. "The automation is just a next logical step that they will go to."
In the future, Bambenek recommended that security vendors invest in ways to release patches as quickly and "with a minimum amount of effort," in order to reduce the delay for legitimate users to patch their systems. He also maintained that the signature-based defense process will "not be entirely helpful" against a class of hackers that write their own exploits.
In addition, Bambenek asserted that the research underscored the need for security research to become more proactive, refuting that the study's findings would compel would-be hackers to invest in automated attacks.
"There are people who approach security that way. But the people who are doing this stuff, they're thinking through these problems just as much as we are," said Bambenek. "They will always be successful the first round. Until something is bad, we allow it."
"Reactivity has a place, but that can't be all," he added. "If you're always playing defense, you're going to lose."