What are security holes?

Security holes are constantly discovered in all sorts of software and to plug the holes software vendors issue patches - also called "fixes" or just plainly "security updates" - to offer an immediate quick-repair solution for the problem and/or a general enhancement of the software.

Flaws in Microsoft's software seem to be the most popular to exploit, so the American software giant releases a lot of patches. But other common desktop applications like Firefox, QuickTime, RealPlayer, Adobe Reader, Adobe Flash Player, and Sun Java Runtime Environment also often need to be patched to fix security issues.

In 2003, Microsoft introduced Patch Tuesday to simplify patch management. Patch Tuesday is the second Tuesday of each month, when Microsoft releases the newest fixes for Windows and related software applications like Internet Explorer, the Office suite, and Windows Media Player.

Microsoft's patches are distributed via Automatic Updates and the company's Microsoft Update downloads website.

Unfortunately, releasing patches also means that cyber-criminals are able to analyse the patch code and exploit the vulnerabilities that the patches were intended to deal with. Therefore a lot of exploits are seen shortly after the release of a patch and the term "Exploit Wednesday" was coined for the day following Patch Tuesday. Malware authors also know that if they start exploiting a vulnerability not known to Microsoft right after Patch Tuesday, it will normally be an entire month before Microsoft releases a patch to fix it. In 2006 Microsoft only broke its patch cycle twice to release very critical fixes.

Today's cyber-criminals are very fast at creating exploit code. When Microsoft issues patches, exploit code for the publicly disclosed vulnerabilities will usually appear the same or the next day. Hackers are able to do that through reverse engineering.

In April 2008, a group of computer researchers urged Microsoft to redesign the way it distributes patches, after they created a technique that automatically produces attack code by comparing the vulnerable and repaired versions of a program.

Using an automated tool, an exploit could be created in a few minutes or less after looking at the patch, according to the researchers. This means it is theoretically possible for hackers to start trying to exploit machines a short time after the attackers have received the patch, putting more PCs at risk of becoming infected with malicious software.

Source: http://www.bullguard.com