Trend Micro’s Zero Day Initiative, a major player in the vulnerability disclosure ecosystem, is ramping up the pressure on software vendors that consistently ship faulty security patches.
In a major revision of its disclosure policies, the vulnerability broker said it will set strict 30-day deadlines for critical-level bug reports that result from faulty or incomplete patches as part of a deliberate effort to reverse a disturbing trend around patch quality and transparency around vendor communications.
“Over the last few years, we’ve noticed a disturbing trend – a decrease in patch quality and a reduction in communications surrounding the patch. This has resulted in enterprises losing their ability to accurately estimate the risk to their systems,” ZDI said in a note announcing the disclosure timeline policy change.
In an interview with SecurityWeek, ZDI spokesman Dustin Childs said the company will implement a tiered approach based on the severity of the bug and the efficacy of the original fix.
On the first tier, an aggressive 30-day timeframe will be applied for more critical-rated cases where exploitation is detected or likely to happen. Childs said ZDI will implement 60-day deadlines for critical- and high-severity bugs where the patch offers some protections and a 90-day window for vulnerabilities no imminent exploitation is expected.
The vulnerability wholesaler typically gives companies up to 120 days to patch security vulnerabilities bought from bug-bounty hackers and Childs said aggressive deadlines is one of the few tools available to influence software vendors.
Over the last 18 months, Childs said ZDI bug bounty data shows a dramatic surge in submissions related to faulty patches that are easy to bypass or fail to fix the underlying vulnerability.
“We’re seeing between 10% and 20% of all bugs we’ve purchased come from bad patches. We’re seeing it across the board, not just in our regular bug bounty program, but at Pwn2Own and other submissions, it’s a significant problem,” Childs said.
“The problem has always been there but it’s gotten so much worse,” Childs said, noting that software vendors are rushing to automate the vulnerability reporting process with negative side effects.
The ZDI spokesman lamented the push towards “API-driven vulnerability reporting” that removes humans from a sensitive part of the vulnerability reporting – and patch quality testing – processes.
“Unfortunately, automation has these ugly side effects,” Childs said. “Instead of sending an email to a human, we’re now emailing an API that puts the information into a CRM and kicks out a tracking number. There used to be a human behind the ‘[email protected]’ email box but that’s now gone. We’re left with less communications on the patches, poor communications on how QA and testing are done, and faulty patches everywhere.
“We’re literally paying twice for bugs for bypasses that we’ve previously paid for. Paying twice for bugs that are patched with a CVE,” Childs said, noting that the problem is pervasive across the industry.
During a Black Hat conference session in Las Vegas last week (download slides), Childs and ZDI colleagues shared data showing a surge in patches that make no effective changes (the vulnerability is still present after the vendor’s official patch is applied) and an ongoing issue where patches are bypassed mere hours after a patch is released.
The company identified faulty patches from a roster of major tech vendors, including Microsoft, Adobe, Google, Oracle, VMware, Cisco, Apple, HP and Dell.
Childs blamed a “lack of commitment” from vendors to sustained security engineering and response and an absence of transparency in communications or advisories.
“Enterprises no longer have a clear view of the true risk to their networks [and] spend additional time and money patching what they’ve already patched,” Childs explained, noting that an incomplete or faulty patch results in more risk than if there’s no patch at all.
He warned that the weaponization of failed patches and variants of already patched vulnerabilities are being used in the wild and urged enterprise defenders to look beyond Patch Tuesday when assessing organizational risk.