The length of time between the development of security patches and the development of exploits targeting the security holes they address has been dropping for some time. Hackers exploit this period of time - the so-called patch window - to launch attacks against unpatched machines. Typically, exploits are developed by skilled …
So what's there to stop some hacker from buying a legal copy of the app...
...and legally get the (secure ??) patch, reverse engineer that and create an attack based on the reverse engineering ??
Who guards the guardians ??
@Ishkandar - Received patch to exploit window
This is what is being done on Windows all the time. To combat this, Microsoft has been releasing "obfuscated" patches where a simple "diff" will generate too much information to dig through.
If the hacker is supported by an organization (i.e., he has a budget) then of course he'll get the application, along with updates. The automated tools are applied to create something which will crash the app, which gives the hacker the quick toe-hold he needs to create something to compromise the app. When the app crashes, that means that it has executed something it wasn't supposed to. Then exploit code is written to not crash the app, but compromise it.
- SMASH the Bash bug! Red Hat, Apple scramble for patch batches
- A BENDY iPhone 6, you say? Pah, warp claims are bent out of shape: Consumer Reports
- eXpat Files 'Could we please not have naked developers running around the office BEFORE 10pm?'
- CoTW Emma Watson should SHUT UP, all this abuse is HER OWN FAULT
- Vulture at the Wheel Renault Twingo: Small, sporty(ish), safe ... and it's a BACK-ENDER