When people — or businesses — make mistakes, they tend to make them more than once. A research team from SafeBreach is taking advantage of repeated errors to find new zero-day vulnerabilities on software platforms.
Tomer Bar and Eran Segal, who will present their research Friday at DEF CON, developed an automated analysis engine for patches they applied to the recent history of Windows Patch Tuesday. What they found was coding mistakes were repaired in one component of the operating system, the same vulnerability would often later have to be patched in other components of the operating system. It is a process they used to discover six zero days, five still unpatched. It is a process they can replicate with other complex platforms, made increasingly accurate with more and more data.
And it's a process they are releasing into the open-source.
"Everybody can use it, Microsoft and also other researchers, and we encourage them to. We believe that this is just the tip of the iceberg. We found six vulnerabilities. We believe that there are a lot more out there," Bar told SC Media.
Bar and Segal used data dating back to 2016 to find their package of vulnerabilities. The patched vulnerability, CVE-2021-34507, was found in Windows Remote Assistance, with unpatched vulnerabilities in Help, Management Consol, Media Player, the XML schema definition tool and the XSLT compiler.
The same approach could be used to find patches made in one operating system that were not applied or incompletely applied to another.
"We only searched [Windows] for that for 2020 and found the two cases of it," said Segal.
Segal and Bar believe they, and any researchers who choose to adopt their method, can dramatically speed up the vulnerability disclosure process — faster than modern reversing methods and fuzzers currently allow.
"It's like, like winning the lottery without having to pay for a ticket," said Segal.
