Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Vulnerability Broker Applies Pressure on Software Vendors Shipping Faulty, Incomplete Patches

Trend Micro’s Zero Day Initiative, a major player in the vulnerability disclosure ecosystem, is ramping up the pressure on software vendors that consistently ship faulty security patches.

Trend Micro’s Zero Day Initiative, a major player in the vulnerability disclosure ecosystem, is ramping up the pressure on software vendors that consistently ship faulty security patches.

In a major revision of its disclosure policies, the vulnerability broker said it will set strict 30-day deadlines for critical-level bug reports that result from faulty or incomplete patches as part of a deliberate effort to reverse a disturbing trend around patch quality and transparency around vendor communications.

“Over the last few years, we’ve noticed a disturbing trend – a decrease in patch quality and a reduction in communications surrounding the patch. This has resulted in enterprises losing their ability to accurately estimate the risk to their systems,” ZDI said in a note announcing the disclosure timeline policy change.

In an interview with SecurityWeek, ZDI spokesman Dustin Childs said the company will implement a tiered approach based on the severity of the bug and the efficacy of the original fix. 

On the first tier, an aggressive 30-day timeframe will be applied for more critical-rated cases where exploitation is detected or likely to happen.  Childs said ZDI will implement 60-day deadlines for critical- and high-severity bugs where the patch offers some protections and a 90-day window for vulnerabilities no imminent exploitation is expected. 

[ READ: Did Microsoft Botch the PrintNightmare Patch? ]

The vulnerability wholesaler typically gives companies up to 120 days to patch security vulnerabilities bought from bug-bounty hackers and Childs said aggressive deadlines is one of the few tools available to influence software vendors.

Over the last 18 months, Childs said ZDI bug bounty data shows a dramatic surge in submissions related to faulty patches that are easy to bypass or fail to fix the underlying vulnerability.

Advertisement. Scroll to continue reading.

“We’re seeing between 10% and 20% of all bugs we’ve purchased come from bad patches.  We’re seeing it across the board, not just in our regular bug bounty program, but at Pwn2Own and other submissions, it’s a significant problem,” Childs said.

“The problem has always been there but it’s gotten so much worse,” Childs said, noting that software vendors are rushing to automate the vulnerability reporting process with negative side effects. 

The ZDI spokesman lamented the push towards “API-driven vulnerability reporting” that removes humans from a sensitive part of the vulnerability reporting – and patch quality testing – processes. 

“Unfortunately, automation has these ugly side effects,” Childs said. “Instead of sending an email to a human, we’re now emailing an API that puts the information into a CRM and kicks out a tracking number.  There used to be a human behind the ‘[email protected]’ email box but that’s now gone.  We’re left with less communications on the patches, poor communications on how QA and testing are done, and faulty patches everywhere.

[ READ: Microsoft Takes Another Stab at PrintNightmare Security Fix ]

“We’re literally paying twice for bugs for bypasses that we’ve previously paid for.  Paying twice for bugs that are patched with a CVE,” Childs said, noting that the problem is pervasive across the industry.

During a Black Hat conference session in Las Vegas last week (download slides), Childs and ZDI colleagues shared data showing a surge in patches that make no effective changes (the vulnerability is still present after the vendor’s official patch is applied) and an ongoing issue where patches are bypassed mere hours after a patch is released.

The company identified faulty patches from a roster of major tech vendors, including Microsoft, Adobe, Google, Oracle, VMware, Cisco, Apple, HP and Dell.

Childs blamed a “lack of commitment” from vendors to sustained security engineering and response and an absence of transparency in communications or advisories.

“Enterprises no longer have a clear view of the true risk to their networks [and] spend additional time and money patching what they’ve already patched,” Childs explained, noting that an incomplete or faulty patch results in more risk than if there’s no patch at all.

He warned that the weaponization of failed patches and variants of already patched vulnerabilities are being used in the wild and urged enterprise defenders to look beyond Patch Tuesday when assessing organizational risk.

Related: Microsoft Confirms ‘PrintNightmare’ is New Security Flaw

Related: Did Microsoft Botch the PrintNightmare Patch?

Related: Microsoft Takes Another Stab at PrintNightmare Security Fix

Related: Already Exploited Zero-Day Headlines Microsoft Patch Tuesday

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...