The “Disturbing Trend” in Software Patches – and how it’s being addressed
Vulnerability disclosure is when a software developer is notified about flaws in their code so they can create fixes, patches or improve the security of their product. But according to the Zero Day Initiative, after 17 years and more than 10,000 disclosures, they are calling out a “disturbing trend” and announcing a plan to apply some counter pressure.
ZDI, a program that has been owned by security firm Trend Micro since 2015, buys vulnerability findings from researchers and handles disclosures to vendors. In exchange, Trend Micro gets a wealth of knowledge they can use to make their antivirus tool and defense products more effective in protecting its customers. They state that they have handled approximately 1,700 vulnerability disclosures so far this year. However, they mention that the quality of vendor patches are been declining in recent years.
They are saying that more frequently, the group will buy a bug from a researcher, and it gets patched. However soon after, ZDI buys another report that elaborates on how to bypass the patch. ZDI also has noticed a worrying trend of organizations disclosing less specific information about vulnerabilities in their public security alerts. This is making it more difficult to assess the seriousness of a vulnerability and to create a patch – a serious concern for big organizations and critical infrastructure.
“Over the last few years, we’ve really noticed that the quality of security patches has noticeably declined,” says ZDI member Dustin Childs. “There’s no accountability for having incomplete or faulty patches.”
ZDI researchers note that bad patches can happen due to many reasons. Figuring out how to fix software flaws can be a delicate process. There are some times when organizations lack the expertise to create a fix, or just haven’t made the investment to have a solution to these problems. Instead, in a rush to clear their slate of report logs, they don’t take the time to conduct proper analysis to assess if there are underlying issues to see if deeper problems exist and can be fixed.
Bad patches are a real concern. At the end of June, Google’s Project Zero bug-hunting team reported that of the novel vulnerabilities that were exploited in the wild so far in 2022, at least half are variants of previously patched flaws.
“A combination of things over time has led us to believe that we actually have a more serious problem than most people understand,” says Brian Gorenc, who runs ZDI.
Like other organizations involved in disclosure, including Project Zero, ZDI gives developers a deadline for how long they have to patch a vulnerability before details are publicly published. The standard deadline is 120 days from disclosure for ZDI. But in response to the declining state of patches, the group is updating their set of deadline guidelines for bugs that have been previously patched.
The new guidelines set depend on the severity of the flaw and how easy it is to bypass its patch, and how likely ZDI thinks the vulnerability will be exploited by attackers. The new guidelines are deadlines of 30 days for critical flaws, 60 days for bugs where the existing patch provides some sort of protection, and 90 days for all other cases. This move follows the tradition of using public disclosure as leverage to initiate the necessary improvements needed to handle important software flaws that potentially impact users around the world.
“The weaponization of failed patches in various vulnerabilities is absolutely being used in the wild right now,” said Childs. “It’s a real problem that has real consequences to the user, and we’re trying to incentivize vendors to get it right the first time.”
Story via WIRED