Thanks to Alex for emailing me a link to this great news story. The story is on SecurityFocus
and is titled "Reverse engineering patches making disclosure a moot choice?
" and is by Robert Lemos. The article talks about the latest trends in doing a binary comparison of a pre-patched binary and its post patched cousin. The latest tools such as BinDiff from SABRE Security
have been used by Halvar Flake to demonstrate how easy it was to reverse engineer the patch for pinpointed the portable networked graphics (PNG) vulnerability fixed in a recent Microsoft patch. This article also highlights the fact that the time to find an exploit after a patch is released has been dropping.
The article also quotes Mary Ann Davidson the Chief Security Officer for Oracle who says she will not be altering Oracles patching mechanisms just yet but she is aware of the techniques and issues being discussed here. This article is worth reading if you are interested in just how quickly you need to patch up a database after the patches are released.