How Micropatching Could Help Close the Security Update Gap
Of the computer systems that cybercriminals successfully attack and compromise, the majority run software containing exploitable vulnerabilities. And, while there are a plethora of defensive tools and technologies to help detect and stop cyberattacks, none of them address the underlying weakness in the vulnerable code that exposes devices and systems to a threat. ongoing risk.
The problem is only getting worse. In 2021, the National Vulnerability Database added nearly 22,000 new vulnerabilities, another record year. This makes patch management an increasingly important part of any security strategy, but it’s easier said than done.
According to Edgescan’s “Vulnerability Statistical Report 2021”, the average time for an organization to fix a vulnerability once it is identified – known as security update gap — is 60.3 days. This gives an attacker 60 days to find and exploit systems harboring this vulnerability. Unfortunately, many organizations won’t have as much time to fix it; Once a security vulnerability in an Internet-accessible service is made public, malicious code to exploit it typically appears within 48 hours.
Unfortunately, many vulnerabilities are never patched at all. In the Equifax breach, for example, the attackers entered via a known, unpatched bug. Many of today’s malware and ransomware variants take advantage of CVEs that have been around for five years or more.
Why is patch management so difficult?
There are various reasons why vulnerabilities are patched so slowly or not at all. First, users must wait for a vendor to analyze and fix a flaw, and then distribute a patched version of their software. And, while automatic and semi-automatic software updates from companies like Microsoft, Apple, Adobe, and Google help enormously to keep many popular software up-to-date, they often require system restarts, which may not be possible. practical or even viable for some businesses. Companies must also rigorously test updates before they can be deployed to production systems, a complex and time-consuming process that can take weeks or months.
The other big reason why patches never get applied is because people and businesses prioritize productivity over security. Users often resist closing running programs to restart and apply software updates, either because they don’t want to or because they can’t, especially in the case of software updates. critical business applications.
In Splunk’s “State of Security 2022” report, 44% of organizations surveyed said they experienced business process disruption due to breaches, and 44% lost confidential data. Both figures are up sharply from the previous year. The cost and disruption of a security breach certainly outweighs the cost and disruption of installing critical security patches. Nonetheless, most IT users continue to put productivity before security, giving attackers a clear advantage and underscoring the need for a different approach to patching.
What is the micropatch?
One possible way to reduce update time is through micropatching – using a small piece of code to fix a single vulnerability, without requiring a system reboot. Similar to a Microsoft Quick Fix Engineering patch or update, a micropatch is applied to a hot or active system, requiring no downtime or failure.
But, while a traditional patch update typically fixes a variety of issues and may even add new features, a micropatch fixes a single issue using as few lines of code as possible, with the goal of minimizing side effects. which may affect basic functionality. This means that the patch itself can be small, consisting of simple data on the following:
- the patch
- the vulnerable application
- patch injection site
- the patch code itself
Micropatches are currently available primarily from third-party vendors, rather than OEM software vendors.
Benefits of Micropatching
The main advantages of micropatching are:
- Speed. A micropatch can be deployed in hours rather than weeks because it takes much less time to test whether the patch interferes with core functionality.
- Simplicity. The fact that micropatches can be quickly applied and removed locally or remotely also simplifies production testing.
- Availablity. Micropatching does not require downtime because it does not replace or modify executable and running files. Instead, the patch is applied in memory, which can be done without having to restart the software or system, allowing users and critical systems to continue working undisturbed. This technique is called snap function and has been around for some time. In the case of micropatching, function hooking is used to inject the patch code at a point in the running process so that the software bypasses the vulnerable code.
Some proponents also claim that micropatching can secure legacy, end-of-life, and unsupported products — such as Office 2010, Java Runtime Environment, Windows 7, and Server 2008 R2 — and make them safe to use, even if the original providers no longer support them.
Overall, the speed, ease, and stealth of micropatching can help close the security update gap. This, in turn, makes it harder for hackers to use popular attack vectors, such as buffer overflows and dynamic link library injection.
Risks and limits of micropatching
Micropatching cannot yet fix logical flaws in an application’s design or vulnerabilities in scripted code, such as PHP and Python, because the code is only interpreted at runtime.
Additionally, while micropatching allows vendors and developers to quickly and automatically deliver patches to users, security teams need to be able to validate the reliability of a patch before they can deploy it. Official patches from mainstream vendors come from reliable and secure servers. But, without such a reliable infrastructure in place, there is no way to ensure that a micropatch from a third-party vendor does not add malicious code or allow access to APIs and data. sensitive.
Also, since many software vendors currently consider micropatching to be unauthorized out-of-band patching, it could violate their license terms and conditions.
Micropatching as a service
Some companies are beginning to specialize in providing micropatches as a service for certain operating systems, monitoring newly discovered or released vulnerabilities and releasing micropatches for them. The most notable and well-known example is 0patch from Acros Security, based in Slovenia.
Devices subscribed to such a service can download new micropatches as they become available. A management dashboard displays all associated devices, and admins can decide whether to automatically patch all of them or only certain groups, such as non-critical or test devices. Alternatively, they can also choose to wait and manually trigger the installation after successfully testing the micropatch.
The future of micropatching
A strong patch management strategy greatly increases the resilience of an IT environment against attacks. Yet security teams continually struggle to deploy patches to all devices in a timely, secure, and scalable manner. Additionally, legacy applications with lost or poorly documented source code present additional problems, often resulting in aging but critical software that goes unpatched indefinitely.
Micropatching could significantly narrow the security update gap by allowing vulnerabilities to be patched with less risk and hassle before software vendors have released their own official patches. There’s still a long way to go before it becomes a mainstream option, but industry leaders are already taking micropatching seriously.
For example, the Defense Advanced Research Projects Agency launched the Assured Micropatching (AMP) program. Working with researchers from organizations such as Arizona State University’s Center for Cybersecurity and Digital Forensics, AMP aims to support rapid remediation of legacy binaries in mission-critical systems.
If a trustworthy and reliable ecosystem develops to create micropatches for all major operating systems and software products, patch management can become much faster and easier. This, in turn, would make life much more difficult for cybercriminals.