the whole purpose The main purpose of vulnerability disclosure is to notify software developers of flaws in their code so that they can create fixes or patches and improve the security of their products. But after 17 years and more than 10,000 vulnerability disclosures, the Zero Day Initiative called out “disturbing trends” today at the Black Hat security conference in Las Vegas and announced plans to apply some counter pressure.
Owned by security firm Trend Micro since 2015, ZDI is a program that buys vulnerability discovery from researchers and handles disclosures to vendors. In exchange, Trend Micro, which makes antivirus tools and other defense products, gets a wealth of information and telemetry that it can use to track research and hopefully protect its customers. The group estimates that it has processed about 1,700 disclosures so far this year. But ZDI warns that, from a bird’s-eye view, it finds that the overall quality of vendor patches has been declining in recent years.
Increasingly, the group purchased a vulnerability from a researcher, patched it, and then sometimes needed multiple rounds of patching shortly after ZDI purchased another report on how to bypass the patch and avoidance. ZDI also said it noted a worrying trend in which companies are disclosing less specific information about vulnerabilities in their public security alerts, making it harder for users around the world to assess the severity of vulnerabilities and prioritize patches — This is a real concern for large enterprises. Institutions and critical infrastructure.
“Over the past few years, we’ve definitely noticed a noticeable drop in the quality of security patches,” said ZDI member Dustin Childs. “Incomplete or flawed patches are irresponsible.”
ZDI researchers say there are many reasons for bad patches. Figuring out how to fix software flaws can be a delicate and delicate process, and sometimes companies lack the expertise or investment to generate elegant solutions to these important problems. Organizations may be in a rush to close bug reports and clean up their roster, and they may not be spending the necessary time to conduct a “root cause” or “variant” analysis and assess potential issues in order to fully address the deeper issues.
Whatever the reason, bad patches are a real problem. In late June, Google’s Project Zero vulnerability hunt team found that at least half of the new vulnerabilities it tracks exploited by attackers in the wild through 2022 are variants of previously patched vulnerabilities.
“Over time, a combination of things led us to believe that we actually had a bigger problem than most people understand,” said Brian Gorenc, who runs ZDI.
Like other organizations heavily involved in disclosure, especially Project Zero, ZDI provides developers with a deadline for how long they must release a patch before details about the vulnerability can be released publicly. The standard deadline for ZDI is 120 days from the date of disclosure. But in response to the prevalence of bad patches, the group today announced a new set of deadlines for previously patched bugs.
Based on the severity of the vulnerability, how easy it is to bypass the patch, and how likely ZDI believes the vulnerability is to be exploited by an attacker, the group is now setting a deadline of 30 days for critical vulnerabilities and 60 days by mistake to provide some protection for existing patches , and 90 days in all other cases. The move follows a tradition of using public disclosure as an important leverage point — one of a handful of security proponents — to make necessary improvements in a way that incentivizes developers to deal with high-risk software flaws that could affect users around the world.
“Weaponization of failed patches in various exploits is absolutely widespread now,” said ZDI’s Childs. “This is a real problem that will have a real impact on users, and we’re trying to incentivize vendors to put it in the first place. Do it.”
