Why patching quality, vendor info on vulnerabilities are declining

Those who apply security patches are finding that it’s becoming harder to time updates and determine the impact of patching on their organisations. 

Dustin Childs of the ZDI Zero Day Initiative and Trend Micro brought this problem to light at the recent Black Hat security conference: Patch quality has not increased and in fact is getting worse. We are dealing with repatching bugs that weren’t fixed right or variant bugs that could have been patched the first time.

Childs also pointed out that vendors are not providing good information about the Common Vulnerability Scoring System (CVSS) risk to easily analyse whether to patch. The vendor might give a high CVSS risk score to a bug that wouldn’t be easily exploited. 

I am having to dig more into details of a bug to better understand the risk of not applying an update immediately. Vendors are adding obscurity to bug information and making it harder to understand the risk.

CVSS scores don’t always reflect the true risk

CVSS is an industry standard meant to help assess the severity of computer system security vulnerabilities. With 10 being the most severe, the higher the CVSS assigned to the patch, the faster we should be applying the patch. 

However, after evaluating the extenuating circumstances and additional risk factors, we may not need to be quite so concerned. Worse is when the CVSS is lower than it should be because it doesn’t account for additional risk factors unique to your organisation.

For example, Microsoft’s August security updates include CVE-2022-34715, fixing the Windows Network File System remote code execution vulnerability. The CVSS score is 9.8, which suggests immediate concern. 

Looking closer at the bug, it only impacts Server 2022 and then only if the NFS 4.0 role service is installed. The highest rated patch of the August 2022 release probably doesn’t impact you if you aren’t running that particular code.

Patch quality, vendor communication on vulnerabilities declining

Childs pointed out that patching has become worse both in terms of quality of updates and reduction of communication surrounding security updates. He stated that we can’t always “just patch it.” Faulty patches don’t make the situation more secure. 

An enterprise might hold back on updates because a side effect causes a direct business impact. Attackers don’t have that problem. They can exploit vulnerabilities efficiently and quickly without constraints.

Social media and researcher warnings might increase the pressure on CISOs and IT teams to roll out patches. Yet studies have shown that a only five per cent of bugs are acted upon. So, we no longer can accurately determine the risk, the need of applying updates, or worse yet, the risk of not applying the updates.

Microsoft has removed information from its security bulletins starting in 2020 making it harder to determine if a bulletin applies to your situation. I now review social media posts and track down the social media platforms that the attackers use to get a better understanding of the risk of an update.

Worse, some vendors require customers to log in for access to gain additional information. Vendors might place information in several places scattered across their platforms, making the process of understanding the bug and patches confusing and time-consuming. 

Known issues are often listed in multiple places and aren’t sent automatically to customers. Patch automation and making information API driven is removing the human guidance and much of the risk analysis needed to better protect ourselves.

ZDI pointed out that across the industry, 10 per cent to 20 per cent of vulnerabilities are being revisited and repatched. 

You think you have protected your network from that SharePoint remote code execution bug, but it wasn’t fixed properly and attackers know how to bypass that patch you just applied. You may not realise that you should be following the mitigation guidance rather than relying on patching.

Pressure vendors to better patch and communicate about vulnerabilities

What can you do to better understand risk? First, push back on vendors. The current level of patching and repatching is not ideal for anyone. We need better communication from vendors and we need to push on vendors to do better testing and improve patches so that we’re not redoing patches and receiving faulty updates.

If a vendor contacts you about a new product, give them feedback on the existing products you use. If you attend vendor conferences, seek out vendor representative and communicate what you need from them.

Next build information so you can better understand the risk to your organisation. It’s said that attackers know our networks better than we do. Know what software you have in your network as well as how exposed you are to external actions and attacks. 

If you don’t have team members inside your organisation that can assist you, look outside your organisation. From cyber insurance to red teams or purple teams, look to the external vendors that your organisation currently uses to provide security services for your firm.

If your firm is resource constrained, look to industry-specific groups or government agencies that provide information about vulnerabilities and risk.

ZDI is reducing its disclosure timelines for vendors when they come across repeat bugs as a method to put pressure on them. As ZDI noted in its talk at Black Hat, if a patch is faulty and they expect exploits, the timeline to disclosure moves to 30 days.

Bottom line: If you feel that patching is a never-ending chore and you and your team are not making headway in protecting your organisation, you are not alone. The technology industry needs to step back and step up in helping us out. Patching is not enough.