A virtual patch gives administrators the option of being able to review, test and schedule official patch updates without leaving the system at risk in the intervening period. Unlike traditional patching, it allows an application to be patched without touching it or its libraries, the operating system or even the system it is running on. Virtual patching aims to fix a problem by altering or eliminating the vulnerability by controlling either the inputs into or outputs from the application.
A common method of implementing a virtual patch is to place some type of a proxy or in-line packet manipulator in front of the application to control the inputs or outputs from the application, preventing or eliminating the dangerous behavior until the actual source code can be updated or fixed. An alternative approach is to change the application's runtime code, but this can introduce new risks or problems.
A benefit of virtual patching is that it can be crafted based solely on known safe behavior for an application. This kind of setting is really useful in those cases when nothing it known about how the actual attack works, such as when vendors are reluctant to discuss the specific nature of a particular threat. You can create virtual patches that both prevent the attack, as well as implement rules that define trusted behavior, thereby adding an extra layer of security. For example, an output patch could prevent an application from exposing sensitive information by dropping the connection or by allowing it to only output certain content.
There is no doubt that a virtual patch is an extremely valuable technique that can be used to provide immediate protection against identified vulnerabilities. To make the most of this patching approach, you need to stay up to date with vendor or public vulnerability disclosures and conduct your own code reviews and vulnerability assessments. Of course, if you actually suffer a security incident, virtual patching can prove to be invaluable as you have to respond to such an event immediately. Virtual patching, however, is not an alternative to patching. You will still have to deploy them whenever possible and practical, but it can provide reliable protection in the interim. Although it's probably not realistic to implement virtual patching across a large deployment of desktops, servers and data centers can certainly benefit from the quick fix it can provide.
This was first published in February 2009