YOUR IT - Technology for you

No. 1 Story

Telstra adds one million mobile services, but Sensis plummets

Telstra has revealed the addition of almost one million new mobile services in the six months to December 2011, but Sensis revenues plummeted 24 percent in 12 months.

 read more
StumbleUponSubmit to redditShare this on TwitterShare on facebook | Print |PDF 

More From

Marshall McLuhan was almost correct: The Patch is the Message

David Heath
Tuesday, 29 April 2008 19:10

Your IT - Home IT

US researchers have uncovered a difficult equation: “Patched Software” subtract “Patch” equals “Unpatched Software.”

Microsoft Office 365 Get your free Trial
A group of US university researchers from Carnegie Mellon, Pittsburgh and University of California (Berkeley) has undertaken some very interesting research.  In essence, they have created a technique that reverses the patch from a patched piece of software to identify the vulnerability being addressed.

This is important.

It means simply that for any vulnerability that has not previously been published, it suddenly now IS published.

As a hacker (of the ‘nasty’ kind), all you need to do is wait for Microsoft (or any other major software vendor) to release a patch.  Then, using the techniques pioneered by the researchers, it is a trivial operation to identify the vulnerability.  Quoting the researchers, “In many cases we are able to automatically generate exploits within minutes or less.”

In the light of this generalised vulnerability, the authors identify a number of issues which affect the way patches are currently distributed. 

Firstly, we should hope that in these modern times of staggered patch distribution that the naughty lads are late on the list of recipients.  Other wise, they know the problem, they know how to exploit it, and they have the opportunity to do so.  Remind me, how do you spell bot-net?

Additionally, patches are essentially unprotected in-transit, rendering them open for analysis.  The authors speculate how circumstances might be different if they were encrypted (no real change!), personalised to each PC (again, no real change, since patches have to be de-personalised in order to be applied) or distributed via torrent-style rapid-deployment systems (the jury’s still out on this one).

So, what should Joe-user take away from this?  Really, he should change nothing, he’s screwed either way!  Essentially, there’s nothing new he can do to influence this aside (possibly) from manually seeking patches as soon as they are announced – “be the first on your block…”

Alternately, there’s always clay tablets, but I’ve yet to find the spell-checker on one of those!

Loading comments ...

Sponsored Announcements

Websense #1 in Web Security Fourth Year in a Row

David Bass | For the fourth year in a row, IDC has placed content security provider Websense (NASDAQ: WBSN) at the top of the IDC Worldwide Web Security 2011 –…

You may have missed


Advertisement

- sponsored feature -

The Death of Traditional BI: What’s Next?

How to Make Business Discovery Work for Your Business IP PABX BUYING GUIDE

Business Discovery takes its cues from consumer apps. Like Google, it encourages us- ers to hunt for and explore data without worrying about or even noticing the underly- ing technology. Their entire experience is working within an intuitive interface to get real-time, self-service results with only minimal training. ...more

Our Services for Technology Professionals

E - mail News SMS Headlines Desktop Alerts News Feeds Job Alerts Technology Events Press-Releases