The Zero Day Initiative (ZDI) is tweaking its disclosure policy for ineffective patches, saying it has observed a decrease in patch quality that is leading to many issued fixes being faulty or incomplete.
The new disclosure policy from Trend Micro’s ZDI program reduces the standard 120-day timeline for bugs that are believed to be the result of a bypassed security patch. The policy will now give companies 30 days to patch critical-rated cases “where exploitation is expected,” 60 days for critical and high-severity flaws where the existing patch offers some protections and 90 days for all other severity flaws where no imminent exploitation is expected. ZDI Senior Communications Manager Dustin Childs said 10 to 20 percent of the bugs ZDI is purchasing result from incomplete or inadequate patches.
“It’s our hope the new timelines incentivize vendors to get the patch correct the first time,” said Childs. “We also hope the timelines work to get fixes out faster for broken patches so that enterprises can protect their systems… We’ve seen reduction in timelines work in other areas, so we want to use the tactic here as well.”
In June, researchers with Google Project Zero said they found 18 zero days exploited in the wild so far in 2022 - and half of those are variants of flaws patched previously. The number of ineffective patches stem from a lack of resources and a skills gap existing in testing and quality assurance (QA), in part because businesses have disinvested in maintaining testers and QA organizations, said Childs.
“There are many reasons why this is occurring, but it really boils down to a few specific points,” said Childs. “For many, it comes down to a focus away from sustained engineering and towards product development. In many cases, they just aren’t resourced appropriately to create comprehensive fixes for reported vulnerabilities.”
Ineffective patches can include variants of bugs, as well as flaws that were the result of incomplete fixes or regressions. In many cases, for instance, the issued patches fixed the specifically reported proof-of-concept exploits but did not address the root cause issue, allowing bad actors to leverage the original flaw using a different attack vector. Childs said that while variants of bugs certainly occur, ZDI sees incomplete fixes more frequently.
“It’s our hope the new timelines incentivize vendors to get the patch correct the first time.”
In July 2021, Microsoft issued an emergency patch for the critical “PrintNightmare” flaw (CVE-2021-34527), but many researchers disputed the efficacy of the fixes, saying that they were able to bypass the fix in order to achieve local privilege escalation. Meanwhile, in February, Apple re-issued a fix for a WebKit flaw that was being exploited in the wild, which was originally discovered and fixed in 2013, but was later reintroduced in 2016 during a code refactoring effort.
Faulty patches lead organizations to falsely think that a fix has been issued - but they also make it harder to estimate the risk in impacted systems and drain enterprises of money, time and resources when re-released patches need to be reapplied (with patch costs for medium and large enterprises sometimes exceeding six figures monthly, according to ZDI).
Researchers have mulled over patch development complexities while thinking about vulnerability disclosure windows, because they want to make sure that the companies issuing the patches take time to address the root issue of a flaw as well as consider all its variants, as opposed to rushing for an easy fix that may be faulty but that can be pushed out within the disclosure window.
The ZDI said that moving forward it will track failed patches more closely. By tweaking its disclosure timelines, ZDI hopes that vendors' overall time-to-fix will decrease. Disclosure windows are constantly being reexamined and changed as different factors in the patch management and threat landscape change, with ZDI previously shaving down its disclosure timeline from 180 days to 120 days, for instance. Google Project Zero, meanwhile, in 2021 announced a trial that would give an additional 30-day leeway period for publishing technical details, if the issue has been fixed within 90 days (previously the policy mandated that disclosure should occur 90 days after an initial vulnerability report, regardless of when the bug is fixed).
"I can see the logic behind the update only applying to faulty or incomplete patches," said Casey Ellis, founder and CTO at Bugcrowd. "The release of a patch provides richer information to those who wish to reverse it which, in general, reduces the amount of time it takes to find a vulnerability and test/develop a working exploit. It also implies that the authors and owners of the code have had recent experience in that particular part of the codebase, which reduces the time needed to re-issue a working patch."