0patch: Microscopic cures for big security holes

Software vulnerabilities are one of today’s most significant information security issues. Disclosing high profile vulnerabilities has become tremendously rewarding, to the point that some vendors are devising marketing campaigns that include a logo and a catchy name, regardless of the seriousness of the flaw.

While vendors from different industries are starting to realize the impact of software vulnerabilities, and many run their bug bounties through platforms like HackerOne, some highly skilled security researchers still opt to sell their findings under the radar. No wonder, as critical zero-day vulnerabilities can fetch a lot of money on the underground market.

Despite all of this, software vendors are more interested in shipping a new version of their product than they are in fixing vulnerabilities. Some are not motivated to provide patches even when a highly critical vulnerability puts their users in harm’s way. To make things more depressing, sometimes when an update is made available, it takes weeks or even months before it’s applied in large corporate networks. After all, the risk of interrupting business is greater than the fear of getting breached.

The magic of 0patch

Acros Security, a digital security research lab, today made available a free public beta of 0patch. This solution aims to fix 0days, unpatched vulnerabilities, end-of-life and unsupported products, provide patches for legacy operating systems, as well as vulnerable third party components and customized software.

0patch

0patch console

0patch takes less than a minute to install, and it applies tiny security patches in the same way for all applications – not on the disk, but in memory, while the software is running. This enables patching and unpatching to be done virtually instantly, even remotely, without rebooting the computer.

If 0patch is running, it immediately patches a vulnerable app at launch, and it alerts the user if an exploit attempt has been blocked.

0patch

0patch exploit blocked notification

It turns out that this way of patching is suitable for almost every remotely exploitable vulnerability, including unchecked buffers, numeric over/underflows, uninitialized variables, format strings, binary planting, DLL injection, data patching, and more. What can’t be patched – or not that easily – is scripted code, design flaws, the Windows kernel, and applications that actively refuse to be patched. An example of the latter is Skype – it crashes as soon as it detects it’s been modified.

What will vendors think?

0patch will undoubtedly raise some eyebrows, since vendors don’t exactly welcome third parties patching their software.

“We expect vendors to be initially cautious about the idea, but after thinking about it they will realize that 0patch can actually save them a lot of time and money,” Mitja Kolsek, CEO at Acros Security, told Help Net Security.

0patch will not affect a vendors’ patch release schedule. One of its main goals is to provide temporary replacement micropatches for vulnerabilities that have already been patched by vendors, and allow administrators to protect their systems while they’re testing the official security updates, and getting their systems ready for patching.

“What does affect vendors’ patch release schedule are 0day vulnerabilities in their products being exploited in the wild. When that happens, they have to drop everything and quickly create an unscheduled update, test it and deliver it to their users. This can be very costly and takes away valuable time from development. In such cases, 0patch can be their solution: instead of essentially building a new version of a product with a tiny correction in its code, they could simply create a micropatch and deliver that instead. Moreover, the process of creating a micropatch can be almost entirely outsourced,” says Kolsek.

A question of trust

Why would you trust a patch delivered by 0patch? Well, Kolsek expects that most of the patches will initially be in addition, not instead of official patches.

“One important difference between an official vendor update and a micropatch is that a micropatch is, well, micro: we’re talking just a couple of machine instructions. This makes a 0patch reviewable by anyone who can read assembly code and can fire up IDA or a debugger to see what the patch does. We’re going to publish patch documentation to make it even easier to review any patch,” explains Kolsek.

In addition, the company is planning on building a more elaborate trust model around patches to allow trusted third parties to review and vouch for individual patches.