Persist It: Using and Abusing Microsoft's Fix It Patches

Presented at Black Hat Asia 2014, Unknown date/time (Unknown duration)

Microsoft has often used Fix It patches, which are a subset of Application Compatibility Fixes, as a way to stop newly identified active exploitation methods against their products. A common Fix It patch type used to prevent exploitation is the previously undocumented In Memory Fix It. This research first focuses on analyzing these in-memory patches. By extracting information from them researchers are able to better understand the vulnerabilities that Microsoft intended to patch. The research then focuses on reverse engineering the patches and using this information to provide the ability to create patches which can be used to maintain persistence on a system.

Presenters:

• Jon Erickson - ISIGHT Partners
  Jon Erickson is an engineer within the research lab at iSIGHT Partners, the leader in cyber threat intelligence, which focuses exclusively on analyzing and understanding the global threat ecosystem. Before joining iSIGHT, Jon made the rounds with various government contractors and before that served in the United States Air Force. Jon has worked in the security industry for more than 10 years, has a BS in Computer Science from George Mason University, and is currently working on his master’s degree. He’s contributed to a number of CVE’s and continuously works to help new security researchers better themselves within the field.

Links:

• https://www.blackhat.com/asia-14/briefings.html#Erickson
• https://www.youtube.com/watch?v=Gx6OgCxPBIQ
• https://www.youtube.com/watch?v=pJ9yuuMO03Y

Similar Presentations:

• Black Hat USA 2010 / ExploitSpotting: Locating Vulnerabilities Out Of Vendor Patches Automatically
• DEF CON 18 (2010) / ExploitSpotting: Locating Vulnerabilities Out Of Vendor Patches Automatically
• Kiwicon 6: The Con of the Beast (2012) / Open source security response