What are security holes?
Security holes are constantly discovered in all sorts of anti virus software and to plug them software vendors issue patches - also called "fixes" or just plainly "security updates" - to offer an immediate quick-repair solution for the problem and/or a general enhancement of the software.
Flaws in Microsoft's software seem to be the most popular to exploit, so the American software giant releases a lot of patches. But other common desktop applications like Firefox, QuickTime, RealPlayer, Adobe Reader, Adobe Flash Player, and Sun Java Runtime Environment also need to be patched often to fix security issues.
In 2003, Microsoft introduced Patch Tuesday to simplify patch management. Patch Tuesday is the second Tuesday of each month, when Microsoft releases the newest fixes for Windows and related software applications like Internet Explorer, the Office suite, and Windows Media Player.
Microsoft's patches are distributed via Automatic Updates and the company's Microsoft Update downloads website.
Unfortunately, releasing patches also means that cyber-criminals are able to analyse the patch code and exploit the vulnerabilities that the patches were intended to deal with. Therefore a lot of exploits are seen shortly after the release of a patch and the term "Exploit Wednesday" was coined for the day following Patch Tuesday. Malware authors also know that if they start exploiting a vulnerability not known to Microsoft right after Patch Tuesday, it will normally be an entire month before Microsoft releases a patch to fix it.
Fast working criminals
Today's cybercriminals are very fast at creating exploit code. When Microsoft issues patches, exploit code for the publicly disclosed vulnerabilities will usually appear the same or the next day. Hackers are able to do that through reverse engineering.
In April 2008, a group of computer researchers urged Microsoft to redesign the way it distributes patches, after they created a technique that automatically produces attack code by comparing the vulnerable and repaired versions of a program.
A well-known attack based on a security hole is Operation Aurora, a targeted malware attack against at least 30 major companies — including Google and Adobe — which exploited a zero-day flaw in Internet Explorer. The exploit allowed malware to load onto users' computers. Once loaded, the malware could take control of the computer to steal corporate intellectual property.
loaded, the malware could take control of the computer to steal corporate intellectual property.
In conclusion, using an automated tool, an exploit could be created in a few minutes or less after looking at the patch, according to the researchers. This means it is theoretically possible for hackers to start trying to exploit machines a short time after the attackers have received the patch, putting more PCs at risk of becoming infected with malicious software.