As cybersecurity threats evolve, organizations need faster, smarter solutions. In this interview by Website Planet, Mitja Kolsek, co-founder of ACROS Security, introduces a groundbreaking method that delivers security fixes faster than traditional vendor patches – micropatching. Kolsek explains how 0Patch uses micropatches to keep legacy systems safe in real-time, bypassing the delays and disruptions caused by traditional patching methods.
If you’re managing outdated systems or struggling with timely patching, you’ll want to hear from a globally recognized cybersecurity leader with 25 years of experience on how to close those security gaps.
Penetration Testing: How Things Have Changed
When we started ACROS Security, penetration testing was all about identifying common vulnerabilities that were prevalent at the time. Back then, we would find issues like SQL injections (a term that didn’t even exist at the time), cross-site scripting problems, unauthorized access through direct object references, and various other injection attacks. These were the “usual suspects”—the kinds of security flaws everyone was looking for.
The landscape has changed significantly since then. Our clients are now highly security-mature organizations, which means we’re not finding those “boring” vulnerabilities as often. Instead, what we come across are the more “interesting” issues—unique flaws created by specific software features or their implementations. These are complex and require deeper analysis, but they’re also more rare.
That said, the basic vulnerabilities are still out there in less security-aware organizations, but teams with strong security practices have learned how to mostly avoid them.
The advent of Micropatching
Our experience in penetration testing led to an important realization: what if we could create our own patches for software that wasn’t getting official vendor support anymore? This question sparked an idea that grew into what we now call micropatching.
Micropatches are tiny fixes—sometimes just a couple of CPU instructions—that we apply directly to the vulnerable code in memory. This allows us to patch the software without needing the source code or modifying the original executable. Think of it like adding a security layer to your system without any downtime or disruption.
Micropatches are small but effective changes that can prevent a potentially disastrous exploit. For example, a common critical vulnerability is a buffer overflow, where an attacker supplies more data than a fixed-size memory buffer can handle. This can allow them to overwrite parts of memory and manipulate the system. A buffer overflow is easy to fix with a micropatch by adding a check for data length before it gets copied to the buffer.
Micropatching vs. Traditional Patching
Traditional software patching may look straightforward but it’s a complex process that involves modifying the source code, rebuilding the product, and distributing the updated version to users. The source code changes in multiple places—not just to fix the vulnerability but also for optimizations and other improvements. This increases the risk of breaking something else in the system, so vendors have to perform exhaustive testing, which takes time.
In contrast, micropatches target only the vulnerable part of the code and are applied directly in memory without changing any files. No reboot is required, and the chance of breaking something is minimal because the change is so small. Even better, if you need to remove the patch, you can do so instantly without undoing other security fixes.
For organizations, this means a faster and safer approach to patching. Traditional patches can take weeks or even months to release, while we can deploy micropatches within hours. This quick response is especially important in environments where uptime is critical, like point-of-sale (POS) systems or older legacy software that’s still in use but no longer supported by the vendor.
Why People Trust Micropatching (And Why You Should Too)
Of course, there’s always skepticism when it comes to third-party patches, and that’s understandable. People often wonder how an external company like ours can fix vulnerabilities in complex software without access to the source code. And naturally, there’s the concern that we could introduce new risks.
Our track record after eight years of patching mostly Microsoft’s security issues speaks for itself, we’ve consistently shown that our micropatches are as effective as, and sometimes even better than, official vendor patches. For instance, when we patched a vulnerability (CVE-2022-44698) before Microsoft, it took them two attempts to fix it correctly, while our micropatch worked from the start.
We also test all our patches rigorously. Each micropatch goes through two types of tests: security tests to confirm that the vulnerability is fixed, and functional tests to ensure that the original functionality remains intact. These tests are always done by a different person than the one who wrote the patch, ensuring objectivity.
For added transparency, we even publish the source code of many of our micropatches. Anyone who understands assembly language can review it, which helps build trust. In fact, we’re working on automating this process so that all our micropatches will have their source code publicly available.
When Micropatching is the Best Option
Micropatching is particularly useful for zero-day vulnerabilities, where waiting for a vendor patch is simply not an option. The traditional process of fixing a vulnerability—modifying the source code, rebuilding the product, and thoroughly testing all changes—is time-consuming. Vendors rarely release “out-of-band” updates, preferring to stick to their scheduled update cycles. Plus, vulnerabilities can sometimes get stuck in triage, further delaying an official patch.
Our data shows that we often release micropatches an average of 49 days before official vendor updates. That’s a huge window of time for attackers to exploit a vulnerability if no fix is available. This is why about 40% of our customers are using 0patch on still-supported systems—they just can’t afford to wait.
The Future of Vulnerability Detection and 0Patch
As someone who’s been in this industry for a long time, I’ve seen many attempts to eradicate vulnerabilities before they make it into production. Whether it’s security training for developers, static and dynamic code analysis, or more advanced techniques like symbolic execution, none of these have significantly reduced the presence of critical vulnerabilities.
There’s a lot of excitement about using artificial intelligence (AI) to detect vulnerabilities, and while I think AI has the potential to identify some standard patterns, it won’t replace the need for human expertise. Many vulnerabilities require a deep understanding of unique processes and their context, something AI isn’t quite capable of yet. Plus, there’s the unsettling reality that cybercriminals will likely invest more in AI for finding vulnerabilities than the vendors trying to fix them.
As for our roadmap, we’re working on expanding our offering with N-day patches. These will allow users of still-supported Windows versions to delay installing traditional updates while remaining protected against the most likely-to-be-exploited vulnerabilities.
In the end, our mission remains the same: to provide fast, effective, and reliable security solutions that keep organizations safe in an ever-evolving threat landscape. Micropatching is just one way we’re doing that, but it’s a method I’m particularly proud of because it’s changing the way we think about patching and vulnerability management.t
With over 13 years of experience in SEO and managing content websites, he has coordinated over 5000 product reviews and interviews with the biggest names in eCommerce, web hosting, cybersecurity, SaaS, AI, and online marketing, to provide newbies and experts with untapped, actionable insights from the top experts in the industry on how to build and grow websites.
Thank you, - your comment was submitted successfully!
We check all user comments within 48 hours to make sure they are from real people like you. We're glad you found this article useful - we would appreciate it if you let more people know about it.
Share this blog post with friends and co-workers right now:
Thank you, , your comment was submitted successfully!
We check all comments within 48 hours to make sure they're from real users like you. In the meantime, you can share your comment with others to let more people know what you think.
Thank you for signing up!
Once a month you will receive interesting, insightful tips, tricks, and advice to improve your website performance and reach your digital marketing goals!
