A common question is, “How does a hacking programmer learn about a flaw or vulnerability in the first place?” There are many ways new weaknesses or vulnerabilities are uncovered, but the three most common are source code review, patch dissection, and fuzzy testing.
1. Source code review is the process of looking through the original code or decompiled code of the target software of choice. If the hacker can obtain the original source code of a specific software product, he often has a good chance of reading through the code and noticing a typo, error, logical issue, design flaw, etc. If only the final compiled software is available, decompiles can create a source code that may not be as elegant as the original in terms of layout and variable labeling but can still reveal errors and flaws to a skilled programmer.
2. Patch dissection is the process of examining the parts of a target application that are patched or altered when a software update is applied. By monitoring the changes made by patches, hackers discover issues in code that they were previously unaware of. Generally, once a hacking programmer is aware of a software bug or error, an exploit can be crafted to take advantage of that error in a matter of hours.
Even though a vendor now offers a fix for the vulnerability, most companies and individuals who use the software won’t be aware of the patch for days, and there may be delays in getting patches installed. Companies often have a patch management procedure that only operates once a week or once a month. A patch management procedure typically involves testing new code on isolated lab systems to determine the effects the update would have on the production environment. Only after the consequences of new code are understood, is it considered for rollout. If the ramifications of new updates are too impactful on production, the installation may be delayed or put off indefinitely.
3. Fuzzy testing is a form of software stress testing that sends random, invalid, and unexpected data to a target application. The purpose is to test the reaction and response of the software to a wide range of unexpected input. If abnormalities are detected or errors are generated, the findings of the fuzzy tool can be used to develop new exploit code. Fuzzy tools can run against a target software product for months without finding a single issue. However, when issues are discovered (which occurs much more often than we might wish), new exploits are crafted taking advantage of those newly discovered vulnerabilities.
Reproduced from Global Knowledge White Paper: Zero Day Exploits