Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Vulnerability Broker Applies Pressure on Software Vendors Shipping Faulty, Incomplete Patches

Trend Micro’s Zero Day Initiative, a major player in the vulnerability disclosure ecosystem, is ramping up the pressure on software vendors that consistently ship faulty security patches.

Trend Micro’s Zero Day Initiative, a major player in the vulnerability disclosure ecosystem, is ramping up the pressure on software vendors that consistently ship faulty security patches.

In a major revision of its disclosure policies, the vulnerability broker said it will set strict 30-day deadlines for critical-level bug reports that result from faulty or incomplete patches as part of a deliberate effort to reverse a disturbing trend around patch quality and transparency around vendor communications.

“Over the last few years, we’ve noticed a disturbing trend – a decrease in patch quality and a reduction in communications surrounding the patch. This has resulted in enterprises losing their ability to accurately estimate the risk to their systems,” ZDI said in a note announcing the disclosure timeline policy change.

In an interview with SecurityWeek, ZDI spokesman Dustin Childs said the company will implement a tiered approach based on the severity of the bug and the efficacy of the original fix. 

On the first tier, an aggressive 30-day timeframe will be applied for more critical-rated cases where exploitation is detected or likely to happen.  Childs said ZDI will implement 60-day deadlines for critical- and high-severity bugs where the patch offers some protections and a 90-day window for vulnerabilities no imminent exploitation is expected. 

[ READ: Did Microsoft Botch the PrintNightmare Patch? ]

The vulnerability wholesaler typically gives companies up to 120 days to patch security vulnerabilities bought from bug-bounty hackers and Childs said aggressive deadlines is one of the few tools available to influence software vendors.

Over the last 18 months, Childs said ZDI bug bounty data shows a dramatic surge in submissions related to faulty patches that are easy to bypass or fail to fix the underlying vulnerability.

“We’re seeing between 10% and 20% of all bugs we’ve purchased come from bad patches.  We’re seeing it across the board, not just in our regular bug bounty program, but at Pwn2Own and other submissions, it’s a significant problem,” Childs said.

“The problem has always been there but it’s gotten so much worse,” Childs said, noting that software vendors are rushing to automate the vulnerability reporting process with negative side effects. 

The ZDI spokesman lamented the push towards “API-driven vulnerability reporting” that removes humans from a sensitive part of the vulnerability reporting – and patch quality testing – processes. 

“Unfortunately, automation has these ugly side effects,” Childs said. “Instead of sending an email to a human, we’re now emailing an API that puts the information into a CRM and kicks out a tracking number.  There used to be a human behind the ‘[email protected]’ email box but that’s now gone.  We’re left with less communications on the patches, poor communications on how QA and testing are done, and faulty patches everywhere.

[ READ: Microsoft Takes Another Stab at PrintNightmare Security Fix ]

“We’re literally paying twice for bugs for bypasses that we’ve previously paid for.  Paying twice for bugs that are patched with a CVE,” Childs said, noting that the problem is pervasive across the industry.

During a Black Hat conference session in Las Vegas last week (download slides), Childs and ZDI colleagues shared data showing a surge in patches that make no effective changes (the vulnerability is still present after the vendor’s official patch is applied) and an ongoing issue where patches are bypassed mere hours after a patch is released.

The company identified faulty patches from a roster of major tech vendors, including Microsoft, Adobe, Google, Oracle, VMware, Cisco, Apple, HP and Dell.

Childs blamed a “lack of commitment” from vendors to sustained security engineering and response and an absence of transparency in communications or advisories.

“Enterprises no longer have a clear view of the true risk to their networks [and] spend additional time and money patching what they’ve already patched,” Childs explained, noting that an incomplete or faulty patch results in more risk than if there’s no patch at all.

He warned that the weaponization of failed patches and variants of already patched vulnerabilities are being used in the wild and urged enterprise defenders to look beyond Patch Tuesday when assessing organizational risk.

Related: Microsoft Confirms ‘PrintNightmare’ is New Security Flaw

Related: Did Microsoft Botch the PrintNightmare Patch?

Related: Microsoft Takes Another Stab at PrintNightmare Security Fix

Related: Already Exploited Zero-Day Headlines Microsoft Patch Tuesday

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.