While the term "virtual patching" has been used in many different contexts, its most common meaning is that of some network appliance ("firewall") or network-monitoring software product inspecting untrusted data heading towards the vulnerable product, detecting a pattern that looks like an exploit of a known vulnerability, and blocking that data in transit before it could reach the vulnerable code.
Virtual patching is an approach with both advantages and disadvantages over actual patching, the most important advantage being its ability to get applied really quickly. The main disadvantage is its inherent reliance on pattern-matching, i.e., recognizing the exploit from the intercepted data. And attackers are really good at obfuscating exploits for the exact purpose of bypassing such "signature-based" protection mechanisms.
A virtual patch doesn't actually patch a vulnerability but puts a policeman on the main road between the attacker and the vulnerability, allowing the attacker to pass using a sufficiently sophisticated disguise or sometimes simply using the country road instead. In contrast, patching provided by 0patch actually corrects the flawed code that is getting executed, thereby eliminating the vulnerability altogether. After the vulnerability is gone, it doesn't matter which road the attacker takes, and how clever a disguise they use.
In addition, in-memory patches can be applied, un-applied or updated just as quickly as virtual patches, without restarting computers or relaunching applications.
To be fair, virtual patching does have its advantage over 0patch: intercepting and blocking data on the network makes virtual patching platform agnostic, i.e., it can address vulnerabilities in different operating systems and in different execution frameworks and languages in the same way. 0patch, in contrast, currently only works on Windows native executable code and can therefore only patch vulnerabilities in Windows native code.
0 Comments