Community for IT Security, Risk Management and Compliance

IT Security Link | Community for IT Security, Risk Management and Compliance

Join The Community!

Please Login or Register

About Us | Contact | Terms | Privacy | RSS

SEND COMMENTS AND NEWS TIPS

Information Security
People and Technology
Cybercrime
Security Compliance
Recruitment

Home
Members articles
Events
News
Recruitment

Home › Blogs › Peter Berlich's blog

Researchers: Obfuscate patches

members_opinions

Sun, 05/18/2008 - 09:38

Researchers from Carnegie Mellon have developed a way to semi-automatically develop exploits from patches (cf. story on SecurityFocus).

Actually, this isn't such a new twist to the old disclosure debate - reverse engineering of patches has always been possible; the news is that it's possible to develop a program that does so.

The principal problem this poses is shortening implementation cycles of patches. All other parameters are basically unchanged. We can't not publish patches, obfuscation will only provide a temporary (and probably very brief) obstacle to attackers, and secondary controls (relating to defense-in-depth) will only mitigate, not prevent an exploit.

Organizations will need to get used to a shifted balance between stability and security. Extensive compatibility testing of patches might simply be a thing of the past.

Your vote:

No votes yet

Peter Berlich's blog
Login or register to post comments

Search IT Security Link

EVENTS CALENDAR

September 2010
Mon	Tue	Wed	Thu	Fri	Sat	Sun
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30

Members Blog Topics

Punk not dead
Lords: "Government should step up to its responsibility in IT Security"
Researchers: Obfuscate patches
Your own personal barcode
Going the extra ten percent

IT Security Link Sponsors

About Us
Contact
Terms
Privacy