0patch

Discussion in 'other security issues & news' started by Rafales, Jun 7, 2016.

  1. Rafales

    Rafales Registered Member

    Joined:
    Feb 20, 2013
    Posts:
    61
    Location:
    Earth
  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    9,382
    Location:
    Slovenia
    What is a benefit of 0patch over regularly patching an application? Does it provide a patch before vendor releases it?
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    10,658
    Location:
    The Netherlands
    I'm not sure what to think of it. So it's able to actively protect against exploits? But why on earth would I let a third party patch my apps, or is it comparable with anti-exploit tools?

    From what I've read it does have this ability.
     
  4. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    879
    Location:
    UK
    The idea is community supplied patches can be used before vendor released patches are made available.
    It also doesnt require any installers, it patches direct into memory.

    A bit like using a web application firewall to patch vulnerabilities not patched directly on the vendor software.
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,551
    Location:
    U.S.A.
    The last thing in the world I would want is some obscure software for some unknown outfit alerting the memory of my processes. Thanks but no thanks ................
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    10,658
    Location:
    The Netherlands
    I feel the same, I rather rely on anti-exe and anti-exploit, who can also protect against zero days.
     
  7. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    879
    Location:
    UK
    I agree to an extent, but every outfit is unknown when they start.
     
  8. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,913
    Initially it sounded like neat idea. In the past other people have provided good patches before eg MS could or would. Just a couple of examples are. The .LNK vulnerability & the image Metafile vulnerability. So out of curiosity i thought i might install it & see what it made of my non patched/updated XP/SP2 OS.

    As usual i'm using ShadowDefender & amongst other things ProcessGuard.

    On first launching, before installing, i viewed the Licence Agreement. After reading it i would normally not have considered coming out of SD mode to actually install it properly, as it's Extremely invasive etc etc !

    So i stayed in SD mode & continued.

    ProcessGuard instantly interupted & alerted me to the following.

    Tried to install a driver/service named 0patchDriver, which i kinda expected, so allowed it.

    0patch\agent\0patchservice.exe was blocked from modifying ALL of my running .EXE's including ALL the running OS .EXE's !

    I disabled PG to allow All that, but then got an error message saying it couldn't write to its own log ? When i looked in Program Files/0patch/Logs there were 3 Log files, 1 was 0kb the other 2 around 4kb. I tried to open all 3 but got a Permission Denied error ?

    By now i had seen enough & stopped trying.

    Maybe others might like to see what happens on their comps, & report back.
     
  9. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,716
    Location:
    Poland - Cracow
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    10,658
    Location:
    The Netherlands
    Doesn't sound too good, why does it need to inject code into all running processes?
     
  11. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,913
    @ Rasheed187

    I don't know, but it's Too invasive for me, & the EULA lets them own you !
     
  12. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    Clone I wonder how processguard would work on windows 10. I still have two lic and the last download.
    does it require a reboot to install?
     
  13. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,913
    @ boredog

    Dunno if it would work on windows 10 ? You could try it in Compatability Mode for XP for eg & see. Hope it works for you :thumbd: I wouldn't want to be without it :)

    Yes it requires a reboot to install, & i checked in the Help File for you. Whilst i had it open, i realised i had never read All the way through it, in All this time ! Well i discovered that i can add in even further protections than i have already with the "Secure Message Handling" feature, for starters !

    Live n learn, so Thanx for asking ;)
     
  14. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    Hello Clone

    I need to go dig through my old disks to find it. I hope I didn't through it away thinking I would never use any of those old programs.
    If I can find it I will give it a shot. it might even still me in an old yahoo e-mail.
     
  15. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,913
    Let us know how it goes. If you can't find it i can send it to you if you can't locate it online somewhere. I expect your licence is safe in another place ?
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    10,658
    Location:
    The Netherlands
    No it won't work since Win 7/8/10 use a different security architecture compared to Win XP.
     
  17. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    9,382
    Location:
    Slovenia
    https://www.helpnetsecurity.com/2017/03/13/reinventing-software-patching/
     
  18. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,030
    Location:
    Slovakia
  19. Gapliin

    Gapliin Registered Member

    Joined:
    Feb 12, 2012
    Posts:
    79
    This is quite some interesting approach imo.
    You need to actually understand their goal: They want to bridge the gap between a vendor releasing a patch for some vulnerability and this patch actually getting installed at the client. If you work at a corporate environment you know that patches usually lag behind some months.
    So at least for still supported software this is not really so much about patching zero days (for major vendors these don't happen so often - still this IE/Edge RCE for example was lying in the wild for almost three weeks until MS patched it: https://bugs.chromium.org/p/project-zero/issues/detail?id=1011). Of course it could come in handy for end-of-life products.

    The patching works in memory so the signatures of the actual files on disk still are valid. Also every patch always only works with a certain hash of the vulnerable file. So after you install the vendor patch the 0patch micropatch doesn't apply anymore. Also they aim to only patch the actual vulnerable code and not whole functions.
    Another plus is that the patching is transparent since you can check the micropatches for yourself with a simple texteditor.

    I think the problem with that approach is that they (ACROS Security) need to have an actual proof-of-concept available for released vendor patches. Sometimes you can get these within days through exploit-db, packetstorm, etc. but sometimes for more complex vulnerabilities it could take some time.
    Or in other words: They would need to invest time and effort to actually get to the root of the issue and find the vulnerable code. Depending on how complete their solution should be they would need to do that for every released security patch of every major software vendor. And if you count the amount of Windows-, Office-, IE-/Edge-, Firefox-, Chrome-, Adobe-, Java-, ... vulnerabilities every month... you can get the idea that this is quite some challenge. (They try to solve that with something they call "crowd-patching".)

    Even so: For every publically available proof-of-concept they could provide you with a simple micropatch very fast and without needs of rebooting the software (or even the host). And to be honest: Most times only exploits with publically available proof-of-concept code get into exploit kits.

    All in all: With some funding for more manpower and possible support by other vendors I could expect this approach to become at least another way to tackle the "bridging the security update gap" issue.

    Some more stuff if you want to research for yourself.

    Talks:
    Yes, Now YOU Can Patch That Vulnerability Too! - DeepSec 2015 (video, slides)
    Fixing the Fixing - RSA Conference 2017 (video, slides)

    Blog: https://0patch.blogspot.com/ (many blog posts lately explaining how to create micropatches for yourself)

    How to create your own patches:
    https://0patch.blogspot.com/2017/02/one-step-closer-to-crowdpatching-and.html
    0patch Agent for Developers:
    https://dist.0patch.com/download/latestagentdev
    https://0patch.com/files/0patch_Patch_Developer_Manual.pdf
     
  20. DIV

    DIV Registered Member

    Joined:
    Jun 4, 2018
    Posts:
    6
    Location:
    Oz
    Hello, all.
    Thank-you for the information so far about micropatches using the 0patch Agent. There are still several things that are unclear to me, and I am hoping some of you will be able to clarify them.

    I am particularly interested in the micropatch that allows us to continue using Equation Editor with Word, so my questions are slanted in that direction.

    1. Why will restoring Equation Editor (and then micropatching it) not prompt Office Update to try to remove it again?
    2. What about 'cautious' users? Can we choose which micropatches we allow the 0patch Agent to download & implement? [I think the answer to this is yes, but am not certain.]
    3. Does the 0patch Agent have to be running simultaneously with Word for the micropatch to be 'active', given that it is (as I understand it) protecting what happens in RAM??
      If so, what would happen if we try to run Word without the 0patch Agent running simultaneously? Or [equivalently?] if we run Word while the 0patch Agent is also running, but we have manually revoked the micropatch for Equation Editor?
    4. Has 0patch always published the content of the micropatches? [I think the answer to this is yes, but am not certain.] (And will they continue to do so?) [I assume that if so it would provide some protection against intentionally & unintentionally flawed micropatches.]
    5. I guess that (as for software in general) even the 0patch Agent will require updates occasionally. But besides that, is it unnecessary to have internet access to use the previously-downloaded 0patch Agent and micropatch(es)?
    6. How can I be reassured that 0patch won't be hacked: either by malware on my system, or by deployment of a Trojan micropatch [per page 37 of https://www.rsaconference.com/writable/presentations/file_upload/tech-r03-fixing-the-fixing.pdf ]?

    Sincerely,
    DIV
     
    Last edited by a moderator: Jun 4, 2018
  21. Mitja Kolsek

    Mitja Kolsek Registered Member

    Joined:
    Jun 11, 2018
    Posts:
    3
    Location:
    Slovenia
    Hi, Mitja Kolsek of 0patch here.

    1) As far as we know, only the January 2018 Office update removed the Equation Editor. We haven't extensively tested that so if your experience is different please let us know.

    2) 0patch Agent downloads all micropatches to the computer but then allows you to choose which ones you want to have applied by enabling/disabling them in the 0patch Console. The current default for downloaded micropatches is "enabled" so that users get immediate protection without having to do anything. We want 0patch to be a fully automated solution that requires zero user interaction for non-technical users. Admins centrally managing a fleet of computers will have a way to set this default to "disabled" and manually enable new micropatches.

    3) 0patch Agent injects a small DLL (called 0patch Loader) into all running processes and this DLL is essential for actually applying micropatches to these processes; effectively 0patch Loader becoming part of a process allows that process to micropatch itself. However, 0patch Console and 0patch Tray (the only components with user interface) don't have to be running in order for micropatching to work. All that matters is that 0patch Driver and 0patch Service are running (they are both always running when 0patch Agent is installed) because they are in charge of injecting the 0patch Loader into processes. So for all practical purposes we can say that 0patch Agent is always running if you have it installed, but it does honor your choices on which micropatches you want to have applied.

    4) We have always planned to have the source code of micropatches published but haven't yet set up a proper channel for that. Most of our popular micropatches are accompanied with a blog post that includes the source code, but we know there's no reason not to publish all, not just because anyone can already extract the machine code from the downloaded micropatch blobs, but also because allowing everyone interested to inspect that code will go a long way towards building trust as well as getting valuable feedback that will further increase the quality of micropatches.

    5) 0patch Agent has an integrated updating mechanism similar to many other software products, which requires no computer restart or application relaunch (but does currently require the user to manually trigger the update). However, in the true spirit of micropatching, we will try to micropatch as many of our own flaws as possible to benefit from all micropatching advantages (minimal impact on user, minimal risk of defect, speed of deployment, ease of correcting flawed fixes). Case in point, we've already micropatched 0patch Agent once, albeit just a tiny functional flaw (https://blog.0patch.com/2016/09/the-birth-of-worlds-first-self-healing.html)

    5a) One of the great things about micropatching is that you have have all micropatches downloaded to your local database and can apply them offline whenever needed. For instance, if you register 0patch Agent and let it sync with the server just once (to download the currently available micropatches), then disconnect it from the network, it will keep applying the downloaded micropatches whenever needed (unless you disabled them) - but will of course not be able to download subsequently published micropatches or new Agent versions.

    6) As everything and everyone else in this world, 0patch will be hacked. Our strategy regarding that was to (1) minimize the risk where we have full control over 0patch components (such as our development environment and the micropatches we publish), and (2) minimize the possible damage where we don't have control of 0patch components (such as hosted servers and installed agents). Some of the most important points are:

    a) All micropatches are digitally signed on a dedicated offline computer in our lab. Even if someone breaks into the server and puts a malicious micropatch into the database, agents will refuse such micropatch because it won't have a valid signature.

    b) Even patch revocation requires a valid digital signature, so someone breaking into the server can't revoke published patches to make your computer stop applying some already-downloaded micropatch and resurrect a critical vulnerability that the attacker would then be able to target.

    c) Shutting down 0patch Agent, modifying micropatch data or enabling/disabling micropatches requires local administrator privileges on the computer. Local malware with such privileges can already do anything on the computer so it would make little sense for it to hack 0patch Agent. Nevertheless, even if admin-level malware tried to use 0patch for local persistence (as described here https://twitter.com/midnite_runr/status/797099246117941249), it can't because the agent re-checks the digital signature upon every application of every micropatch.

    Let us know if you have any additional questions.

    Thanks,
    Mitja
     
  22. DIV

    DIV Registered Member

    Joined:
    Jun 4, 2018
    Posts:
    6
    Location:
    Oz
    Dear Mitja Kolsek,
    my thanks for your thorough reply are added to my many thanks for the efforts of you and your colleagues to create a viable "micropatching" technology & platform that is freely available.
    Also your responses were targeted at pretty much the right level of technical detail for me. (Some others on this forum would be more knowledgeable than me. I hope they also have a chance to consider your reply.)

    I think I understand what you have said. The main remaining query I have at the moment is about the MS Update process. For some reason I was imagining that the MS Office Updater would check for existence of Equation Editor, and whenever found it would prompt (repeated) installation of the relevant [e.g. Jan 2018] update. From your response, it seems that instead the MS Office Updater will check a log of installed updates, and if a certain update is logged as successfully installed (e.g. Jan 2018 update), then the user will never be recommended to re-install it (even if the update's been 'circumvented' in the meanwhile).

    Per your response 4, it might also be of interest for you in association with that to eventually establish a dedicated forum for users (and possibly potential users).

    Yours sincerely,
    DIV
     
  23. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    4,244
    Location:
    USA still the best. But getting worse!
    Two newbies highly complimenting each other, how nice.

    Welcome to Wilders.
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    10,658
    Location:
    The Netherlands
    Why does it need to inject code into ALL processes, why not only into the patched process?
     
  25. Mitja Kolsek

    Mitja Kolsek Registered Member

    Joined:
    Jun 11, 2018
    Posts:
    3
    Location:
    Slovenia
    We assessed injecting into all processes to be the optimal way to immediately detect the presence of any "patchable" modules in the process (i.e., modules we have at least one micropatch for).
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.