2025-06-28 –, Grand Salon
Patch Tuesday has been reversed engineered. Automated CVE diffing is here. Don't guess what next month's security updates contain, just see them. In this talk, we are going to show you how to pry open the black box of Patch Tuesday.
Windows is one of the most widely used operating systems in the world, and also one of the most frequently updated. Every month, Microsoft releases patches that fix hundreds of bugs and flaws in Windows binaries. But these patches are often shrouded in mystery, with vague or incomplete descriptions of the vulnerabilities they address. This leaves security researchers and system administrators guessing about the true impact and risk of the patches.
In this talk, we reveal our reverse engineering approach to Patch Tuesday. By combining public data, clever analysis, and deep Windows internals knowledge, we’ve developed an algorithm that automatically maps ~70% of Microsoft OS CVEs (since 2016) to specific binary changes. We’ll share the insights behind our method, detail how we refined the process, and demonstrate our automated CVE diffing.
Additionally, we’ll revisit Patch Tuesday’s origins—including the pivotal role of the MS Blaster worm—and reverse engineer a landmark RPC vulnerability patch diff to highlight both the risks and rewards of reverse engineering security patches.
Finally, we'll show you how to put this knowledge to work. Learn to create binary biographies—or "binographies"—that trace a binary's evolution over time, highlighting the essential security changes for each CVE. With Patch Tuesday Binographies, you'll move from guessing to having clear, actionable insights into Microsoft's patch details.
John McIntosh, @clearbluejar, is a security researcher at Clearseclabs. His area of expertise lies within reverse engineering and offensive security, where he demonstrates proficiency in binary analysis, patch diffing, and vulnerability discovery. Notably, John has developed multiple open-source security tools for vulnerability research, all of which are accessible on his GitHub page.
Additionally, his website, https://clearbluejar.github.io/, features detailed write-ups on reversing recent CVEs and building RE tooling with Ghidra. Boasting over a decade of experience in offensive security, John is a distinguished presenter and educator at prominent security conferences internationally. He maintains a fervent commitment to sharing his latest research, acquiring fresh perspectives on binary analysis, and engaging in collaborative efforts with fellow security enthusiasts.