The whole purpose of vulnerability disclosure is to notify software developers about flaws in their code so they can create fixes, or patches, and improve the security of their products. But after 17 years and more than 10,000 vulnerability disclosures, the Zero Day Initiative is calling out a “disturbing trend” at the Black Hat security conference in Las Vegas today and announcing a plan to apply some counterpressure.
ZDI, which has been owned by the security firm Trend Micro since 2015, is a program that buys vulnerability findings from researchers and handles disclosure to vendors. In exchange, Trend Micro, which makes an antivirus tool and other defense products, gets a wealth of information and telemetry that it can use to track research and hopefully protect its customers. The group estimates that it has handled roughly 1,700 disclosures so far this year. But ZDI says that from its bird’s eye view, the quality of vendor patches overall has been slipping in recent years.
More and more often, the group buys a bug from a researcher, it gets patched, and soon afterward ZDI is buying another report about how to bypass the patch, sometimes with multiple rounds of patching and circumvention. ZDI also says it has noticed a worrying trend of companies disclosing less specific information about vulnerabilities in their public security alerts, making it more difficult for users around the world to assess how serious a vulnerability is and formulate patch prioritization—a real concern for big institutions and critical infrastructure.
“Over the last few years, we’ve really noticed that the quality of security patches has noticeably declined,” says ZDI member Dustin Childs. “There’s no accountability for having incomplete or faulty patches.”
ZDI researchers say that bad patches happen for a variety of reasons. Figuring out how to fix software flaws can be a nuanced and delicate process, and sometimes companies lack the expertise or haven’t made the investment to generate elegant solutions to these important problems. Organizations may be rushing to close bug reports and clear their slate and may not take the time needed to conduct “root cause” or “variant” analysis and assess underlying issues so deeper problems can be comprehensively fixed.
Regardless of the reason, bad patches are a real concern. At the end of June, Google’s Project Zero bug-hunting team reported that of the novel vulnerabilities being exploited in the wild it has tracked so far in 2022, at least half are variants of previously patched flaws.
“A combination of things over time has led us to believe that we actually have a more serious problem than most people understand,” says Brian Gorenc, who runs ZDI.
Like other organizations heavily involved in disclosure, including Project Zero, ZDI gives developers a deadline for how long they have to issue a patch before details about the vulnerability in question get published publicly. ZDI’s standard deadline is 120 days from disclosure. But in reaction to the epidemic of bad patches, today the group is announcing a new set of deadlines for bugs that have been previously patched.
Depending on the severity of the flaw, how easy it is to bypass the patch, and how likely ZDI thinks it is that the vulnerability will be exploited by attackers, the group will now set deadlines of 30 days for critical flaws, 60 days for bugs where the existing patch provides some protection, and 90 days for all other cases. The move follows a tradition of using public disclosure as an important point of leverage—one of the few that security proponents have—to spur necessary improvements in how developers handle high-stakes software flaws that potentially impact users around the world.
“The weaponization of failed patches in various vulnerabilities is absolutely being used in the wild right now,” ZDI’s Childs says. “It’s a real problem that has real consequences to the user, and we’re trying to incentivize vendors to get it right the first time.”