Wednesday, January 20, 2016

Bridging the "Security Update Gap" With 0patch

Vulnerability Patches Can be Really Small and Easy to Apply

Yesterday we tweeted a proof-of-concept actual micropatch for the "Winshock" vulnerability (CVE-2014-6321, MS14-066) in Windows schannel.dll. The patch fixes a buffer overflow vulnerability that allowed attackers to execute arbitrary code on any SSL-enabled IIS server. (Thanks to Mike Czumak, BeyondTrust and Malware Tech for their awesome analyses, especially Mike for also sharing his method for triggering the bug.)

Our "0patch" for Winshock consists of just 11 machine instructions (28 bytes), which is a fairly typical size for a 0patch judging from over 300 0patches we've written so far. To put these 28 bytes in perspective, you should know that the official Microsoft's update that fixed the same vulnerability (although it might also have changed some other bits here and there) was 243 KB, which makes our 0patch roughly 8,800 times smaller than the official fix.

Read this entire post at the 0patch blog.

Tuesday, January 12, 2016


Fixing The Fixing

Those of you following our work have noticed the near-silence in our public department during the last two years. The blog was static, there were no news on the web site to speak of, and googling us gave no recent hits. Sure, our customers know we were as busy as ever under the blanket of serial NDAs, but what was going on in our "free" time?

One word: 0patch. We were building what we believe is going to fundamentally change the security game. And it seems so trivial, it's hard to comprehend that something like this hasn't been a standard procedure for ages. Well, no-one seemed to have bothered building it*, so we did.

Read this entire post at the 0patch blog.