The end of the patch as we know it?
Microsoft’s recent Security Intelligence Report stated that although 29.3 percent of known MS security vulnerabilities had publicly available exploit code in 2006, the ratio had fallen to 20.9 percent by 1st August 2007.
‘While the number of vulnerabilities continues to increase,’ the report continued, ‘the ratio of exploit code available for these vulnerabilities remains steady and is even on a slight decline.’
However, he exploit code ratio may be about to rise again, sharply. A group of computer science doctoral students at Carnegie Mellon, Berkeley and Pittsburgh have revealed an automatic patch-based exploit generation (APEG) programme that can identify the underlying vulnerabilities in minutes.
Security professionals have been reverse engineering patches for years to uncover the underlying vulnerabilities. APEG may have given mal-doers the edge in the race to exploit the vulnerabilities before the security patches are installed.
Related reading: Microsoft releases its own security report
