Sloppy software patches are a ‘worrying trend’

The whole purpose Vulnerability disclosure is about informing software developers about vulnerabilities in their code so they can create fixes or patches and improve the security of their products. But after 17 years and more than 10,000 vulnerability disclosures, the Zero Day Initiative is calling out a “worrying trend” at the Black Hat security conference in Las Vegas today and announcing plans to adopt some counter pressure.

ZDI, owned by security company Trend Micro since 2015, is a program that purchases vulnerability findings from researchers and processes disclosures to vendors. In return, Trend Micro, which makes anti-virus tools and other defense products, obtains a wealth of information and telemetry that it can use to monitor research and hopefully protect protect your customers. The team estimates that it has processed about 1,700 disclosures so far this year. But ZDI warns that, from its overall perspective, it has found that the quality of vendor patches has generally declined in recent years.

More and more often, the team buys a bug from a researcher, it gets patched, and soon ZDI buys another report on how to get through the patch, sometimes with multiple rounds of patching and passing. ZDI also said that it has noticed a disturbing trend of companies disclosing less specific information about vulnerabilities in their public security alerts, making it difficult for users around the world to judge. vulnerability severity and patch priority building — a real concern for critical infrastructure and institutions.

ZDI member Dustin Childs said: “Over the past few years, we’ve really noticed that the quality of security patches has dropped dramatically. “There is no accountability for having incomplete or faulty patches.”

ZDI researchers say that the patches happen for a variety of reasons. Figuring out how to fix software bugs can be a complex and delicate process, and sometimes companies lack the expertise or investment to create good solutions to these important problems. Organizations may be rushing to close bug reports and remove interceptors, and they may not be taking the time needed to conduct a “root cause” or “variant” analysis and assess the underlying issues. version so that deeper problems can be comprehensively remedied.

Whatever the reason, patches are a real concern. At the end of June, Google’s Project Zero bug hunting team Find that at least half of the new vulnerabilities it has tracked that are being exploited by attackers in the wild so far by 2022 are variants of previously patched vulnerabilities.

Brian Gorenc, who runs ZDI, said: “A combination of things over time has led us to believe that we actually have a problem that is more serious than most people understand.

Like other organizations that are heavily involved in disclosures, especially including Project Zero, ZDI gives developers a deadline for how long they must release a patch before details of the vulnerability can be disclosed. The vulnerability mentioned is widely publicized. The ZDI standard period is 120 days from the date of disclosure. But in response to the explosion of patches, the team is today announcing a new set of deadlines for previously patched bugs.

Depending on the severity of the vulnerability, how easy it is to bypass the patch, and how likely ZDI thinks the vulnerability will be exploited by attackers, the team will now set a 30-day deadline for critical vulnerabilities. critical, 60 days for defects. where the existing patch provides some protection and 90 days in all other cases. The move follows a tradition of using public disclosure as a point of leverage—One of the few security proponents — to drive needed improvements in how developers handle software bugs that have the potential to affect users worldwide.

“Weaponization of patches in various security holes is being used wildly right now,” said ZDI’s Childs. “It’s a real problem with real consequences for users, and we’re trying to encourage vendors to address it the first time around.”

Source link


Goz News: Update the world's latest breaking news online of the day, breaking news, politics, society today, international mainstream news .Updated news 24/7: Entertainment, the World everyday world. Hot news, images, video clips that are updated quickly and reliably.

Related Articles

Back to top button