Using off-the-shelf tools, hackers could craft exploits for software vulnerabilities in as little as 30 seconds after studying
The researchers focused on patches for five Microsoft software programs, which were analyzed to find out how the applications were repaired. Using an automated tool, an exploit -- or code designed to attack a machine at a weak point -- could be created in a few minutes or less after looking at the patch, they wrote.
The research means it is theoretically possible for hackers to start trying to exploit machines a short time after the attackers have received the patch, putting more PCs at risk of becoming infected with malicious software.
Already, hackers are pretty fast. Microsoft issues patches on the second Tuesday of every month, and exploit code for some the publicly disclosed vulnerabilities will usually appear the next day. They're able to do that through reverse engineering and poking around the code to find out what's wrong.
But creating exploits faster would give hackers more time to find vulnerable machines while Microsoft is in the process of distributing patches through Windows Update, the company's patch download feature.
Even 24 hours after patches have been issued, only 80 percent of Windows machines have called on Microsoft's servers, the paper said. That delay is intentional. Other vendors similarly roll patches out gradually in order to reduce the burden on their servers.
But that's probably going to have to change, the researchers said.
"One immediate consequence we suggest is that the current patch distribution schemes are insecure, and should be redesigned to more fully defense against automatic patch-based exploit generation," they wrote.
The researchers call the method "Automatic Patch-Based Exploit Generation." One of the tools the researchers used to see what a patch fixed is a code-analysis tool called eEye Binary Diffing Suite.
In one example, the tool took less that two minutes to figure out the vulnerability with the Windows Graphic Device Interface, used to display graphics. The problem (MS07-046) could allow an attacker to take complete control of a machine, and it was patched by Microsoft in August 2007. The researchers were quickly able to craft a denial-of-service exploit.
There are a few ways to keep attackers at bay, though. Vendors can create patches that hide what they've fixed in order to make it harder to figure out.
Also, encrypted patches could be distributed, and then an encryption key released once all the machines have the patches. The key would unlock the patch but prevent reverse engineering until all machines are fixed. Another option is to use P-to-P (peer-to-peer) networks in order to distribute patches faster.
The paper was written by David Brumley and Pongsin Poosankam of Carnegie Mellon University, Dawn Song of the University of California at Berkeley and Jiang Zheng of the University of Pittsburgh.