Brian Pak (Cai) Co-founder/Researcher at Theori. Reverse engineering / Exploit dev. Automotive security. R&D.;
Founder of Plaid Parliament of Pwning (PPP) CTF team. 3 wins on DefCon CTF finals, and numerous wins on other international CTFs.
[Abstract]
==========
Every Patch Tuesday, many people get busy. Whether you are an IT administrator who needs to deploy patches or a security researcher who wants to learn what vulnerabilities were fixed (or a pentester who wants to develop 1-day exploits), you have to maintain and manage released patches -- especially if you have to do it for multiple systems.
In this talk, we take a look at the general process of patch analysis. We walk through each step from downloading the patch to a weaponized exploit. For the case study, we perform the analysis for CVE-2016-0189 (vbscript.dll) and jscript9.dll security bug fixed in MS16-063.
At Theori, we built a system called 'Petch' (_P_atch + F_etch_) that can help you manage Microsoft's patches/updates more effectively. The system will expedite the patch analysis by providing the database of the updates of interest, as well as the symbol files for the executable files. Petch is not a cloud service, but we will open source shortly after the conference, so it can be set up locally.
While we only cover browser vulnerabilities and exploits, the techniques and tools can be used for variety of things such as kernel drivers.