Are Patches Leading to Exploits?

In October, for the second time in as many months, Microsoft's "Patch Tuesday" gave way to "Exploit Wednesday."

This could be a sign of an emergent modus operandi for those who would exploit vulnerabilities just after Microsoft releases its security bulletins, according to some security experts.

In September, it was Clippy's Revenge; last Wednesday, an exploit related to Microsoft Word came to light.

Researchers at Symantec discovered a malicious Word file in the wild which, when opened, was crashing the program. Symantec investigated further, using various combinations of Word versions, patches and languages, and in each case -- with the exception of Office 2007 -- opening the document caused Word to crash, Symantec said. Later it became apparent that someone created the document using Word for Macintosh.

These incidents over the past two Patch Tuesdays suggest ongoing efforts by hackers to anticipate what will be patched, with the idea of pouncing on weaknesses immediately after learning an exploit's implications. They also highlight the muddy waters of proof-of-concept exploit releases by independent security vendors -- intended to help IT organizations, they often do just the opposite.

"The exploits come from everywhere, whether in the wild or through more controlled means," said Alfred Huger, vice president of software engineering for Symantec Security Response. "But (the exploits) can be like a hammer in the respect that you can use them to build on weakness or destroy defenses."

Huger added that Microsoft is handling a two-edged sword when releasing patches. As a vendor, it should and must disclose fixes to products, programs and services. However, doing that also gives hackers a laundry list of potential attack vectors and weak spots.

Ideally, proof-of-concept exploits are supposed to stop that cold. These types of hypothesis-based programs that emerge in the wake of any given Patch Tuesday are designed to show people how to deter these threats, as well as hopefully give vendors and IT pros a sense of what they're up against before a hacker can strike.

That's why security organizations such as TippingPoint, VeriSign and research project Metasploit all help locate and provide possible solutions to exploits and potential exploits of Microsoft vulnerabilities.

But such help may not always be welcome in Redmond, according to Eric Schultze, chief security architect at Saint Paul, Minn.-based Shavlik Technologies.

"I don't think [Microsoft] really cares for the VeriSigns of the world," Schultze said. "I think they would rather hear about an exploit privately and then fix it rather than have an exploit already out there used for the wrong reasons, only to release a patch and have it re-engineered and used against them."

Schultze said that going forward, the application-based exploits (Clippy, MS Word) and client-side issues, while important, aren't as critical as server-side issues such as the denial of service risk via remote call procedures (RPC) that Redmond patched on Tuesday.

"As a hacker, the gold medal is the server side, controlling the network," said Schultze, who expects that either a proof-of-concept and/or a wild exploit release is forthcoming for both the RPC vulnerability and likely the Network News Transfer Protocol issue.

Meanwhile, as an indication of what may be covered in future Patch Tuesdays -- the next one is on Nov. 13 -- Microsoft announced this week that it was looking into remote code execution vulnerability in supported editions of Windows XP and Windows Server 2003 with Windows Internet Explorer 7 installed.

As always, security admins must remain vigilant: know your weaknesses, test your network for holes and fix any problems quickly.

"We know that proof of concepts are used maliciously; we know that exploits are released every month, every week and every day for that matter," Symantec's Huger said. "We also know that hackers keep things close to the vest and then tend to dump their exploits to coincide with patches to throw you off while they're moving on to something else. Since we know this, we should act accordingly."

About the Author

Jabulani Leffall is a business consultant and an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. He consulted for Deloitte & Touche LLP and was a business and world affairs commentator on ABC and CNN.