TL; DR: ACROS Security is helping admins fix critical vulnerabilities while shortening the time it takes to make updates with 0patch, a platform to distribute, apply, and remove microscopic binary patches. These micropatches can be easily applied to commonly exploited processes to instantly eliminate vulnerabilities — all without having to relaunch the application or reboot the computer. Moving forward, the company will provide admins even greater control over its approach to security with 0Patch Central, a robust management console already available for early access.
For years, the process of applying software patches has been somewhat of a necessary evil.
IT admins, managers, and security professionals undoubtedly recognize that security patching is a crucial step in removing vulnerabilities. Still, many agree that staying up to date can be overwhelming — at best.
According to a 2017 study by ACROS Security, the wide security update gap prevalent in businesses across the globe isn’t caused by a lack of awareness or funding. Instead, nearly three-quarters of respondents (72%) said they worry that software updates will break their production systems.
In addition, more than half (52%) of those surveyed said applying patches disturbs daily business processes, and another 44% said they can’t bear the downtime associated with rebooting entire systems.
ACROS Security is attempting to solve these problems and more with 0patch, the company’s revolutionary platform for distributing, applying, and removing microscopic binary patches.
Unlike traditional security patches, these micropatches are light enough to fix vulnerabilities without restarting applications or rebooting computers, and they won’t introduce the substantial risks associated with large code changes. In many cases, 0patch can shorten the security update gap to days or even hours.
“We call them micropatches because they’re so small — typically anywhere from 10 to 30 bytes of code,” said Mitja Kolsek, CEO & Co-Founder at 0patch. “They don’t consume a lot of bandwidth, and you can even download them from a satellite link if you need to.”
Moving forward, ACROS Security will grant admins and IT managers even greater control when it comes to security management through 0patch Central, a robust management console already available to users by request.
Leveraging Two Decades of Experience in Security Assessments
ACROS Security, a Slovenia-based company specializing in security assessments, was founded in 1999. Back then, businesses mainly hired the company to break into their software and then help them fix any discovered vulnerabilities.
“We were lucky enough to impress some of the U.S. companies by proving that we knew how to find holes in their software,” Mitja said. “This launched us into the U.S. market.”
ACROS Security’s customer base continued to expand, particularly in Silicon Valley. Several customers, including a fair number of banks, began to leverage the company’s penetration tests, which simulate actual attacks. The company managed to break into customers’ systems every time, but Mitja said it wasn’t because their employees were geniuses. It was because performing the attacks was easy.
“Basically, every time we were hired to break into a network, we just searched for publicly known vulnerabilities, usually in Windows or products like Adobe Reader or Adobe Flash,” Mitja said. “There were, and still are, a lot of N-day vulnerabilities.”
These unintended flaws are known to the software vendor but haven’t been patched, leaving the potential for cybercriminals to exploit security holes.
“After doing that for nearly 15 years, we noticed that it was not getting any harder to break into these decent-sized networks, even though next-generation technology security products were getting launched every year,” Mitja said.
After conversations with admins and customers whose defenses had been breached, ACROS Security realized that many organizations delay the application of official vendor updates for days, weeks, or sometimes even months.
“It’s really a matter of being between a rock and a hard place for admins,” Mitja said. “On one hand, they know that if they don’t apply these patches, they may be vulnerable to attacks. But if they do apply them, they might single-handedly stop operations.”
So, in 2016, more than a decade after its founding, ACROS Security introduced 0patch as a solution for patching hesitation. To date, the company has supplied more than 400 micropatches that address some of the most important, commonly-exploited software holes.
Remove Vulnerabilities Easily and Instantaneously
Some of the most critical vulnerabilities that allow an attacker to remotely gain access to a user’s computer are small flaws in code that can be fixed with a simple modification to just a couple of CPU instructions in the program. This makes micropatching an ideal solution for a wide range of customers due to their size and minimal risk. Consider, for example, a company that sends sales people traveling across the globe.
“You could apply updates on their machines the night before they have a meeting, and suddenly those machines aren’t working anymore,” Mitja said. “It’s a nightmare because you have no way to physically access those machines to remove the updates.”
The process is so unobtrusive that users don’t even have to know about it, in contrast with the typical approach, where computers need to be restarted. With micropatching, a sysadmin looking to patch Microsoft Word could do so while the user is still typing, rather than replacing libraries or the entire product, which introduces a significant risk of error.
“That’s how we think security patching should be done these days,” Mitja said. “The ideal situation is leaving the product as is and just changing those few bytes of code.”
Once a user installs the 0patch agent, it will contact 0patch’s server every hour in search of new patches. But right now, the patches are so small that the company is just sending all new patches to each agent proactively. That way, the patches will be available, even if the user is offline and installs a vulnerable product.
Plays Well with Vendor Updates, Delivers Security after End-of-Support
Users don’t have to worry that 0patch will interfere with official vendor updates from companies such as Microsoft. If ACROS Security issues a micropatch for a vulnerability in a Windows component, for instance, it will be applied upon the launch of that component.
“But when patch Tuesday comes and you get official updates from Microsoft, if they patch that same vulnerability, our micropatch will automatically stop being applied — you don’t have to do anything or have any extra burden as an admin,” Mitja said.
0patch focuses primarily on patching a wide range of Windows products due to Microsoft’s prominence in workstations around the world, which Mitja told us are the main gateway for attackers looking to breach any type of corporate or government network.
In September, the company announced that it will offer micropatches that keep Windows 7 and Windows Server 2008 secure even after Microsoft phases out support for the products on January 14, 2020.
“We decided to ‘security adopt’ those two products, which means we are committed to providing important security updates via informal micropatches for these platforms,” Mitja said. “This will help those who cannot afford or are not eligible to receive extended security updates from Microsoft and have to remain on platforms that are going to reach end-of-support.”
The updates will not be a replica of what one would typically receive from Microsoft because 0patch has different criteria for micropatching. One important difference is that 0patch must have a proof of concept (PoC) exploit in place before issuing a patch.
“We need to have a test case to be able to trigger that vulnerability — it’s not enough just to know that a vulnerability exists,” Mitja said. “We have to analyze what actually happens when the vulnerability is triggered because we don’t have the source code.”
New: Take Charge of Your Security with 0Patch Central
0patch’s latest innovation is a central control portal that will allow businesses of all sizes to deploy micropatches to endpoints as it would traditional patches.
Early access to the product, known as 0Patch Central, is now available for those looking to protect nontrivial fleets of Windows computers with micropatches (customers may request access by emailing firstname.lastname@example.org).
“You can organize your computers into groups so you can still have a testing group to 10 or 20 computers that you want to apply our micro patches to immediately, to see whether they’re causing any problems,” Mitja said. “Because we are humans, we are going to make mistakes. We haven’t so far in all these patches that we made, but we certainly will, at some point. Fortunately, our micropatches can be revoked as quickly and painlessly as they are applied. We can revoke a micropatch, and within 60 minutes, it won’t be applying on any internet-connected computer anymore.”
Ultimately, 0Patch is on a mission to reduce risk and downtime as much as possible.
“We can’t think of any better technology or approach to that,” Mitja told us. “Changing as few bytes of code as possible is basically in the DNA of micropatching, and everything else — not having to relaunch applications, etc. — is just a convenient side effect.”