Friday, April 25, 2008

Automatically Hacking Computers

Imagine, you had access to the Windows Update servers. What could you do?

No, no write access. Just read access.

Not to the harddisk or the OS, just the normal patch download access via HTTP.

You could automatically hack any software that Microsoft patches (or anyone who supplies security patches for their software for that matter).


Okay. Follow along on a little thought experiment. Security patches contain fixes for security bugs. Security bugs allow to do bad things with your computer like turning it into a spam zombie. Or make it steal your bank account data. Or allow someone you've never met to put illegal stuff on your computer like stolen music or pr0n.

The security patch fixes that. But there is a catch. The security fix is a little piece of program with instructions how to install it. Basically, it replaces a piece of program that is already on your computer.

How could someone possibly abuse this? Isn't the security hole fixed after the patch?

Actually, for the kind of attack we're talking about here, this is irrelevant. What is interesting is this: The patch is almost identical with the program that you already have. The difference is a few bytes which fix the security hole.

While it is usually very hard to find a security hole in a program (you'd have to analyze a whole lot of code), the security patch is actually a map to the hole. It tells you exactly what was broken and how it was fixed.

That allows for two kinds of attack: First, you can now easily write a program which can successfully attack all computers which don't have the patch, yet. And you can check if the guys made a mistake with the fix. If they did, you now have a perfect recipe for disaster.

To make things worse, there is only a limited amount of ways to make a program break in such a way that you get a security hole. This means: It is possible to write a program which compares the original code and the patch and which comes up with a virus for the hole which has just been fixed (or not). Automatically.

This program could just sit there, watch the Windows Update servers, wait for a new patch to come up, create a virus from that and distribute it to already cracked websites.

Scientists from three different universities were able to show that it is actually possible to do this.

For you, this means two things: Firstly, whenever a security patch is available, you must install it immediately. Secondly, you must not visit any website until you have installed all available security patches. Otherwise, you're risking to be infected by visiting an innocent website that someone has hacked. Remember, those are vulnerable to the same kind of attack: A cracker could have gained access to the computer of one of the administrators of the site with the attack described above and could have got a copy of the password with the help of a keylogger.

In a few years, we'll have an immune system for the Internet.

Or we won't have an Internet anymore.

No comments: