• Home
  • News
  • Business
  • Gear
  • Reviews
  • Games
  • Science
  • Security
Reading: Sloppy Software Patches Are a ‘Disturbing Trend’
Share
Ad image
Technology MagazineTechnology Magazine
Aa
  • News
  • Business
  • Gear
  • Reviews
  • Games
  • Science
  • Security
Search
  • Home
  • News
  • Business
  • Gear
  • Reviews
  • Games
  • Science
  • Security
Have an existing account? Sign In
Follow US
Technology Magazine > Security > Sloppy Software Patches Are a ‘Disturbing Trend’
Security

Sloppy Software Patches Are a ‘Disturbing Trend’

Press room
Press room Published August 11, 2022
Last updated: 2022/08/11 at 5:45 PM
Share
SHARE

The whole purpose of vulnerability disclosure is to notify software developers about flaws in their code so they can create fixes, or patches, and improve the security of their products. But after 17 years and more than 10,000 vulnerability disclosures, the Zero Day Initiative is calling out a “disturbing trend” at the Black Hat security conference in Las Vegas today and announcing a plan to apply some counter pressure.

ZDI, which has been owned by the security firm Trend Micro since 2015, is a program that buys vulnerability findings from researchers and handles disclosure to vendors. In exchange, Trend Micro, which makes an antivirus tool and other defense products, gets a wealth of information and telemetry that it can use to track research and hopefully protect its customers. The group estimates that it has handled roughly 1,700 disclosures so far this year. But ZDI warns that, from its bird’s eye view, it found that the quality of vendor patches overall has been slipping in recent years. 

More and more often, the group buys a bug from a researcher, it gets patched, and then soon after ZDI is buying another report about how to bypass the patch, sometimes with multiple rounds of patching and circumvention. ZDI also says that it has noticed a worrying trend of companies disclosing less specific information about vulnerabilities in their public security alerts, making it more difficult for users around the world to assess how serious a vulnerability is and formulate patch prioritization—a real concern for big institutions and critical infrastructure.

 “Over the last few years, we’ve really noticed that the quality of security patches has noticeably declined,” says ZDI member Dustin Childs. “There’s no accountability for having incomplete or faulty patches.”

ZDI researchers say that bad patches happen for a variety of reasons. Figuring out how to fix software flaws can be a nuanced and delicate process, and sometimes companies lack the expertise or haven’t made the investment to generate elegant solutions to these important problems. Organizations may be rushing to close bug reports and clear their slate and they may not take the necessary time to conduct “root cause” or “variant” analysis and assess underlying issues so deeper problems can be comprehensively fixed.

Regardless of the reason, bad patches are a real concern. At the end of June, Google’s Project Zero bug hunting team found that at least half of the novel vulnerabilities it has tracked being exploited by attackers in the wild so far in 2022 are variants of previously patched flaws.

“A combination of things over time has led us to believe that we actually have a more serious problem than most people understand,” says Brian Gorenc, who runs ZDI. 

Like other organizations heavily involved in disclosure, notably including Project Zero, ZDI gives developers a deadline for how long they have to issue a patch before details about the vulnerability in question get published publicly. ZDI’s standard deadline is 120 days from disclosure. But in reaction to the epidemic of bad patches, the group is today announcing a new set of deadlines for bugs that have been previously patched. 

Depending on the severity of the flaw, how easy it is to bypass the patch, and how likely ZDI thinks it is that the vulnerability will be exploited by attackers, the group will now set deadlines of 30 days for critical flaws, 60 days for bugs where the existing patch provides some protection, and 90 days for all other cases. The move follows a tradition of using public disclosure as an important point of leverage—one of the few security proponents have—to spur necessary improvements in how developers handle high-stakes software flaws that potentially impact users around the world.

“The weaponization of failed patches in various vulnerabilities is absolutely being used in the wild right now,” ZDI’s Childs says. “It’s a real problem that has real consequences to the user and we’re trying to incentivize vendors to get it right the first time.”

Press room August 11, 2022
Share this Article
Facebook TwitterEmail Print
What do you think?
Love0
Sad0
Happy0
Sleepy0
Angry0
Dead0
Wink0
Leave a comment

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

You Might Also Like

Security

The TikTok CEO’s Face-Off With Congress Is Doomed

5 Min Read
Security

How You Can Tell the AI Images of Trump’s Arrest Are Deepfakes

5 Min Read
Security

The Scorched-Earth Tactics of Iran’s Cyber Army

5 Min Read
Security

Online Sleuths Untangle the Mystery of the Nord Stream Sabotage

4 Min Read
  • Review
  • Top Lists
  • Contact
  • Privacy Policy
  • Terms of use

We influence 20 million users and is the number one business and technology news network on the planet.

I have read and agree to the terms & conditions

Contact US

  • Contact Us
  • DMCA
  • Editorial Policy
  • Advertise

Quick Link

  • Gear
  • Games
  • Security
  • Reviews

© 2022 Technology Magazine. All Rights Reserved.

Follow US on Socials

Removed from reading list

Undo
Welcome Back!

Sign in to your account

Lost your password?