Better tools let hackers strike more quickly

By Robert Lemos
CNET News.com
July 28, 2004, 11:11 AM PT


LAS VEGAS--It's mostly bad news for network administrators at this year's Black Hat Security Briefings: Increasingly, attackers are using better tools to find vulnerabilities quickly, exploit flaws and hide their attacks.
While some security experts point to zero-day exploits--code that takes advantage of previously unknown vulnerabilities--as a growing threat, a greater number are stressing the danger of online attackers' ability to quickly turn around attack code by analyzing the patch issued to fix the problem.

"Within a day, you can take a patch, find a problem, and produce an exploit," said Jeff Moss, the founder of the Black Hat Security Briefings, which kicked off Wednesday. "If a patch is released one day and an exploit comes out the next day, that doesn't leave companies much time to see to their security."

Several security companies, including Symantec and VeriSign, have noted that anecdotal evidence indicates that the code needed to take advantage of a specific flaw increasingly follows closely after the first details of the vulnerability are released. Security researchers at the Black Hat conference point to the increased usage of tools designed to reverse-engineer patches as the cause of the trend.

The accelerating creation of attack code means that companies have to be prepared to patch much more frequently, or find ways to secure their computers against attacks that use the latest flaws.

"Administrators can't wait for the next quarterly patch anymore," said Paul Watson, an information security specialist for Rockwell Automation and the author of a paper on basic network flaws. "Companies used to do it once a year--you would go out, get the patch bundle and apply it. You do that now and you are dead." Watson learned about incident response when he released information about a pervasive network flaw earlier this year.

The creator of the Slammer worm gave network administrators six months to patch their systems before releasing the worm in January 2003. The Sasser worm appeared in April 2004, three weeks after the vulnerability that allowed it to spread. And the Witty worm hit a mere two days after the flaw in a security product allowed it to spread.

Security companies and software makers hope to erect digital defenses to give their clients a respite from repeated patching.

On Monday, eEye Digital Security announced a new product, Blink, that acts as a shield for computers against quickly materializing threats. In the same way that antivirus software can halt computer programs from spreading to a victim's computer, intrusion prevention software such as Blink can stop incursions from worms and remote-attack software.

Microsoft will also do a lot to bolster unpatched systems from new threats when it releases Windows XP Service Pack 2 in August. The security update from the software giant will enhance the firewall and add security features to make it more difficult for attackers to exploit flaws. Those two features will make it significantly harder to attack Windows systems, said David Litchfield, founder and managing director of Next-Generation Software Security, a British company.

"Hopefully, the day of the Windows network worm is over," Litchfield said. "It is not going to be foolproof, but in terms of getting it more secure, it will go a long way."