True, if the binary we're micropatching for a particular vulnerability doesn't get changed by vendor's update, the micropatch will keep getting applied to it. However, there should be no problem with that – you'll simply get an additional (albeit unneeded) protection against the exploitation of this now doubly-patched vulnerability.
In coding terms, you can think of it like this: if there's a buffer overflow vulnerability in function B of module B.DLL, triggered by input data passed to it by function A of module A.DLL, it can be fixed either by truncating input data in function A (before the call to function B), or in function B (before copying input data to the destination buffer). If we decide to micropatch function A, the exploit will be blocked in A.DLL. If the vendor subsequently patches function B, the exploit will henceforth be blocked in B.DLL. However, in case vendor's update didn't modify A.DLL, our micropatch will keep getting applied – but will operate on already truncated input data and will therefore be redundant. But it won't do any harm.
0 Comments