The whole purpose Vulnerability disclosure is about informing software developers about vulnerabilities in their code so they can create fixes or patches and improve the security of their products. But after 17 years and more than 10,000 vulnerability disclosures, the Zero Day Initiative is calling out a “worrying trend” at the Black Hat security conference in Las Vegas today and announcing plans to adopt some anti-pressure measures.
ZDI, owned by security company Trend Micro since 2015, is a program that purchases vulnerability findings from researchers and processes disclosures to vendors. In return, Trend Micro, which makes anti-virus tools and other defense products, obtains a wealth of information and telemetry that it can use to monitor research and hopefully protect protect your customers. The team estimates that it has processed about 1,700 disclosures so far this year. But ZDI says that from its overall perspective, the quality of vendor patches has generally declined in recent years.
More and more often, the team buys a bug from a researcher, it gets patched, and soon ZDI buys another report on how to get through the patch, sometimes with multiple rounds of patching and passing. ZDI also said it has noticed a disturbing trend of companies disclosing less specific information about vulnerabilities in their public security alerts, making it difficult for users around the world to judge. vulnerability severity and build patch priority – a real concern for large organizations and critical infrastructure.
ZDI member Dustin Childs said: “Over the past few years, we’ve really noticed that the quality of security patches has dropped dramatically. “There is no accountability for having incomplete or faulty patches.”
ZDI researchers say that the patches happen for a variety of reasons. Figuring out how to fix software bugs can be a complex and delicate process, and sometimes companies lack the expertise or investment to create good solutions to these important problems. Organizations may be rushing to close bug reports and remove their interceptors, and may not be taking the time necessary to conduct a “root cause” or “variant” analysis and evaluate issues fundamental so that deeper problems can be comprehensively remedied.
Whatever the reason, patches are a real concern. At the end of June, Google’s Project Zero bug hunting team report Of the newly exploited vulnerabilities in the wild it has tracked so far in 2022, at least half are variants of previously patched vulnerabilities.
Brian Gorenc, who runs ZDI, said: “A combination of things over time has led us to believe that we actually have a problem that is more serious than most people understand.
Like other organizations that are heavily involved in disclosures, including Project Zero, ZDI gives developers a deadline for how long they must release a patch before details of the vulnerability are mentioned. access is widely available. The ZDI standard period is 120 days from the date of disclosure. But in response to the explosion of patches, today the team is announcing a new set of deadlines for previously patched bugs.
Depending on the severity of the vulnerability, how easy it is to get past the patch, and how likely ZDI thinks the vulnerability will be exploited by an attacker, the team will now set a 30-day deadline for critical bugs, 60 date for the error. where the existing patch provides some protection and 90 days in all other cases. The move follows a tradition of using public disclosure as a point of leverage—One of the few that security proponents have — to drive needed improvements in how developers handle software bugs that have the potential to affect users worldwide.
“Weaponization of patches in various security holes is being used wildly right now,” said ZDI’s Childs. “It’s a real problem with real consequences for users, and we’re trying to encourage vendors to address it the first time around.”
