[ad_1]
“It’s our hope the new timelines incentivize vendors to get the patch correct the first time.”
In July 2021, Microsoft issued an emergency patch for the critical “PrintNightmare” flaw (CVE-2021-34527), but many researchers disputed the efficacy of the fixes, saying that they were able to bypass the fix in order to achieve local privilege escalation. Meanwhile, in February, Apple re-issued a fix for a WebKit flaw that was being exploited in the wild, which was originally discovered and fixed in 2013, but was later reintroduced in 2016 during a code refactoring effort.
Faulty patches lead organizations to falsely think that a fix has been issued – but they also make it harder to estimate the risk in impacted systems and drain enterprises of money, time and resources when re-released patches need to be reapplied (with patch costs for medium and large enterprises sometimes exceeding six figures monthly, according to ZDI).
Researchers have mulled over patch development complexities while thinking about vulnerability disclosure windows, because they want to make sure that the companies issuing the patches take time to address the root issue of a flaw as well as consider all its variants, as opposed to rushing for an easy fix that may be faulty but that can be pushed out within the disclosure window.
The ZDI said that moving forward it will track failed patches more closely. By tweaking its disclosure timelines, ZDI hopes that vendors’ overall time-to-fix will decrease. Disclosure windows are constantly being reexamined and changed as different factors in the patch management and threat landscape change, with ZDI previously shaving down its disclosure timeline from 180 days to 120 days, for instance. Google Project Zero, meanwhile, in 2021 announced a trial that would give an additional 30-day leeway period for publishing technical details, if the issue has been fixed within 90 days (previously the policy mandated that disclosure should occur 90 days after an initial vulnerability report, regardless of when the bug is fixed).
“I can see the logic behind the update only applying to faulty or incomplete patches,” said Casey Ellis, founder and CTO at Bugcrowd. “The release of a patch provides richer information to those who wish to reverse it which, in general, reduces the amount of time it takes to find a vulnerability and test/develop a working exploit. It also implies that the authors and owners of the code have had recent experience in that particular part of the codebase, which reduces the time needed to re-issue a working patch.”
[ad_2]
Source link