Threat Intelligence, Black Hat

Automate zero-day discovery by looking to the past

A computer screen is filled with code during a hackathon event on Feb. 1, 2014, in Miami. (Joe Raedle/Getty Images)

When people — or businesses — make mistakes, they tend to make them more than once. A research team from SafeBreach is taking advantage of repeated errors to find new zero-day vulnerabilities on software platforms.

Tomer Bar and Eran Segal, who will present their research Friday at DEF CON, developed an automated analysis engine for patches they applied to the recent history of Windows Patch Tuesday. What they found was coding mistakes were repaired in one component of the operating system, the same vulnerability would often later have to be patched in other components of the operating system. It is a process they used to discover six zero days, five still unpatched. It is a process they can replicate with other complex platforms, made increasingly accurate with more and more data.

And it's a process they are releasing into the open-source.

"Everybody can use it, Microsoft and also other researchers, and we encourage them to. We believe that this is just the tip of the iceberg. We found six vulnerabilities. We believe that there are a lot more out there," Bar told SC Media.

Bar and Segal used data dating back to 2016 to find their package of vulnerabilities. The patched vulnerability, CVE-2021-34507, was found in Windows Remote Assistance, with unpatched vulnerabilities in Help, Management Consol, Media Player, the XML schema definition tool and the XSLT compiler.

The same approach could be used to find patches made in one operating system that were not applied or incompletely applied to another.

"We only searched [Windows] for that for 2020 and found the two cases of it," said Segal.

Segal and Bar believe they, and any researchers who choose to adopt their method, can dramatically speed up the vulnerability disclosure process — faster than modern reversing methods and fuzzers currently allow.

"It's like, like winning the lottery without having to pay for a ticket," said Segal.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.