Security researchers have called the recent paper on automated patch-based exploit generation "interesting" and "impressive," but do not agree with the authors that Microsoft -- or any other software company -- need worry about machine-generated attacks any time soon.

The paper puts forward strong techniques to find specific inputs that can trigger vulnerabilities, said Thomas Dullien, a reverse-engineering expert better known in the security community as "Halvar Flake." However, the technique has serious limitations, including only the ability to find relatively simple vulnerabilities and a quickly rising calculation complexity. While the research advanced automated exploit generation techniques, concluding that software vendors need to revamp their update distribution methods is wrong, Dullien stated in a blog post on the research paper.

"The APEG paper is really good, but it uses confusing terminology -- exploit ~= vulnerability trigger -- which leads to it's impact on patch distribution being significantly overstated," Dullien stated. "It's good work, but the sky isn't falling, and we are far away from generating reliable exploits automatically from arbitrary patches."

The paper -- written by computer scientists at Carnegie Mellon University, the University of California at Berkeley and the University of Pittsburgh -- claimed that the authors technology could create exploits for specific vulnerabilities in a matter of seconds, given only a specific patch that fixes the vulnerability. While the technique appears to create specific inputs that can cause denial-of-service conditions -- and potentially hijack program control -- the trick is to do it reliably, Gunter Ollman, a researcher at IBM Internet Security Systems, stated in a critique of the paper.

Many security professionals reverse engineer patches -- particularly patches pushed out by Microsoft -- to find any vulnerabilities fixed by the update. In many cases, they create exploits for the flaws manually. Within a few days, and sometimes hours, of Microsoft releasing its monthly patches, attack code for the many of the flaws are created. The paper does not change the threat, Robert Graham, CEO of Errata Security, said on his company's blog. Yet, Graham agreed with the authors that the threat does exist.

"It's certainly an interesting development, but in the real world, it wouldn't significantly reduce the amount of time it takes to make fully functional exploits from reverse-engineered patches," Graham stated. "However, this time is already worrisome short, which means while you shouldn't be more scared from this paper, you should already be very scared."

If you have tips or insights on this topic, please contact SecurityFocus.