Zero Day Initiative Changes Bad Patch Disclosure Policy


“We hope the new timelines will encourage vendors to fix the patch first time around.”

In July 2021, Microsoft released an emergency patch for the critical “PrintNightmare” flaw (CVE-2021-34527), but many researchers disputed the effectiveness of the patches, claiming that they were able to circumvent the patch to to obtain a local elevation of privileges. . Meanwhile, in February, Apple re-released a patch for a WebKit flaw that was being exploited in the wild, which was initially discovered and patched in 2013, but was later reintroduced in 2016 during a refactoring effort. coded.

Faulty patches lead organizations to mistakenly think a patch has been released – but they also complicate estimating risk in affected systems and drain organizations of money, time, and resources when reissued patches need to be released. be reapplied (with patch costs for medium and large enterprises sometimes exceeding six figures per month, according to ZDI).

Researchers reflected on the complexity of patch development while considering vulnerability disclosure windows, as they want to ensure that companies releasing patches take the time to fix the root problem of a flaw and investigate all of its variants, instead of rushing for an easy fix that may be flawed but can be pushed back into the disclosure window.

ZDI said that in the future, it will follow failing patches more closely. By adjusting its disclosure timelines, ZDI hopes that vendors’ overall repair time will decrease. Disclosure windows are constantly reviewed and modified as different factors in patch management and the threat landscape change, with ZDI previously reducing its disclosure schedule from 180 days to 120 days, for example. Google Project Zero, meanwhile, announced a trial in 2021 that would give an additional 30-day leeway period for releasing technical details, if the issue was resolved within 90 days (previously the policy required that disclosure occurs 90 days after an initial vulnerability report, regardless of when the bug is fixed).

“I can see the logic behind the update only applying to broken or incomplete patches,” said Casey Ellis, Founder and CTO of Bugcrowd. “Releasing a patch provides richer information for those who wish to reverse it, which generally reduces the time needed to find a vulnerability and test/develop a working exploit. It also implies that authors and owners of the code have had recent experience in that particular part of the code base, which reduces the time needed to re-edit a working patch.”


Comments are closed.