The alert from the Zero Day Initiative (ZDI) announcing changes to its disclosure policy for ineffective patches has come at the perfect time. A recent yet alarming trend with silent patches has been brought to the surface, as the reduction in communications surrounding patches has been overlooked for quite some time. As a result, enterprises are losing their ability to accurately estimate the risk in their coordinated vulnerability disclosure (CVD) systems – further harming IT protectors.
The updates to ZDI’s policy are intended to incentivize vendors to correctly patch the first time around and effectively communicate patches to offer an accurate depiction of risk. While the need for shortened patch timelines for the public disclosure of vulnerabilities has become an urgent action, not everyone truly knows the hidden harm of silent patching and where to start.
To better grasp the concerns surrounding the matter, it’s important to understand three main areas: the history behind the silent patch, the repercussions of limiting researchers in the process, and how organizations must respond quickly and efficiently improve their patch rates and avoid long-term consequences.
What to know about the silent patch
To start, most major software vendors were once infamous for sweeping vulnerability reports under the rug, which made it challenging for researchers to report vulnerabilities. Bug reports from researchers were often housed in a quiet, unobserved space until, without notice, their proof-of-concept exploits no longer work. No credit, no explanation, no CVE ID – this was the standard silent patching model.
While this was the norm of a very standard plan – it’s very dangerous today, per the ZDI announcement. In most cases, when it comes to these software patches, many companies were not using exotic packers, nor were they employing anti-forensics. Despite any level of encryption of obfuscation of this patch data, it does eventually need to modify the code on the running software, exposing it to anyone with armed with a debugger and a disassembler. In these instances, there was a high risk for skilled exploit developers to sweep in and take advantage of patch vulnerabilities.
Consequences of limiting researchers and IT protectors
While silent patches limit who understands how to exploit a vulnerability, they also exclude penetration testers and other researchers behind defense testing. Not to mention, this excludes the most important audience for a patch: the everyday IT administrators and managers in charge of determining risk and making the calls on executing patches. While it’s important to note that not all vulnerabilities are equal, it’s vital for protectors to get around to all of them. It can pose a challenge where they need to determine which ones to apply today, and which ones can wait for the next maintenance cycle.
Although IT professionals do have some capabilities to reverse-engineer patches, the method could have a far more complicated impact and it’s often extremely time-consuming. Acting with greater efficiency and publicly disclosing patches right away can optimize everyone's time researching and patching vulnerabilities so that we can get back to our goal of securing the industry at large.
Ways to improve patch rates and avoid long-term effects
The time-to-patch speeds are getting faster and as more companies and projects are taking patching and vulnerability reporting seriously, there’s still a gray area where the tradeoffs of patch quality and timeliness are still out of balance. While we’ve seen examples such as Google's and ZDI's more recent moves to shorten timelines for public disclosure of newer vulnerabilities, Rapid7's own research indicates the same trend of more active, in-the-wild attacks against previously patched issues, thanks to patch bypasses and incomplete fixes.
The best way to improve patch efficacy is to stay engaged with the researcher who initially disclosed the vulnerability. Providing them with updates as the patch gets developed can uncover some hard-to-spot, but easy-to-avoid gotchas with patch development. Often, security teams can avoid easy bypasses when the vendor checks in with the original discoverer. Our team noticed that vendors that stay engaged tend to release more complete patches and documentation about those patches, while those that tackle the problem without help sometimes miss obvious-to-bug-hunters bypasses.
What Happens Next?
So, where do we go from here? Silent patching only guards against a small, limited audience of threat actors. Fully-documented patches are essential to educating the much larger audience of people, from researchers to IT administrators, who are key to supporting and improving software for the company’s users. While it's true that fully-documented patches may benefit casual attackers along the way, the global population of casual attackers is much smaller than the company’s users and IT protectors.
Think carefully next time a vulnerability researcher approaches with the intention of publishing details regarding patch vulnerabilities. While the first instinct may be to keep those details under wraps, consider the larger effect that silent patching can have on CVD systems – and start to recognize the value of transparency. If we don’t make an effort to do so, it not only degrades the decision-making powers of IT protectors, but gives leverage to true criminals out there looking to take advantage of software vulnerabilities.
Tod Beardsley, director of research, Rapid7