Sunday, March 27, 2016

Provoking Patches

Welcome to my Week 2 blog post!

Last week we discussed passwords, which their importance is often overlooked.  This week, I want to take a look at something that we are all probably doing, but might not know why: Patches.

Security patches are written and distributed by software vendors to correct a previously unknown vulnerability.  These vulnerabilities are discovered using a method called fuzzing.  At a VERY basic level, fuzzing is inputting unexpected data into a program, and watching how it reacts.  For example:

Enter a number between 1 and 10:

Now, a typical user would enter a number between 1 and 10, but a fuzzer might enter a 'q', just to see what happens.  If the software is coded correctly, the response would look something like this:

Invalid input, enter a number between 1 and 10:

However, if the software isn't written to validate input, you might see this:



The Blue Screen of Death is something we've all dealt with at some point, and it is the result of improperly coded software.  The reaction we have when this happens is usually one of frustration and anger, but we accept it and reboot.

What if the result is something more malicious, like administrative (root), or even SYSTEM access?  Now, the fuzzer just discovered a way to gain permissions that a standard user should never have.

If the fuzzer who discovered the vulnerability wears a White Hat, they report it to the software developer who then starts creating the patch to correct the vulnerability.

Now that the patch has been written, it's ready for distribution.  While you're working on your system, you get this notification:


I know when I see this, my inner-procrastinator wants to click the 'X'.  However, knowing what it might fix, I click on it, run the installer, and hope I don't need to reboot.

Security patches are distributed by the software vendor who created the software.  You should only download and install patches from them, and not from a third party.  Any developer, Microsoft, Adobe, Apple, etc. should periodically send notice of patches.  To help protect your system, set it to automatically download and install the patches.  If you choose not to do this, you will need to make sure you check for updates at least weekly.  Do this for all of your software to ensure maximum protection.

Patches, and now you know...

Thanks for reading!

Here are a few references:
https://www.owasp.org/index.php/Fuzzing
https://www.cert.org/vulnerability-analysis/research/discovery.cfm?
https://en.wikipedia.org/wiki/Blue_Screen_of_Death
https://www.cert.org/vulnerability-analysis/research/discovery.cfm?
https://en.wikipedia.org/wiki/White_hat_(computer_security)
https://en.wikipedia.org/wiki/Grey_hat
https://en.wikipedia.org/wiki/Black_hat
https://social.technet.microsoft.com/Forums/en-US/6259994a-80e9-4e2c-9fa8-4df6b614d641/no-windows-update-notifications?forum=W8ITProPreRel



No comments:

Post a Comment