Patch madness: Vendor bug advisories are broken, so broken

BLACK HAT USA – Las Vegas – Keeping up with security-vulnerability patching is challenging at best, but prioritizing which bugs to focus on has become more difficult than ever before, thanks to context-lacking CVSS scores, muddy vendor advisories, and incomplete fixes that leave admins with a false sense of security.

That’s the argument that Brian Gorenc and Dustin Childs, both with Trend Micro’s Zero Day Initiative (ZDI), made from the stage of Black Hat USA during their session, “Calculating Risk in the Era of Obscurity: Reading Between the Lines of Security Advisories.”

ZDI has disclosed more than 10,000 vulnerabilities to vendors across the industry since 2005. Over the course of that time, ZDI communications manager Childs said that he’s noticed a disturbing trend, which is a decrease in patch quality and reduction of communications surrounding security updates.

“The real problem arises when vendors release faulty patches, or inaccurate and incomplete information about those patches that can cause enterprises to miscalculate their risk,” he noted. “Faulty patches can also be a boon to exploit writers, as ‘n-days’ are much easier to use than zero-days.”

The Trouble With CVSS Scores & Patching Priority

Most cybersecurity teams are understaffed and under pressure, and the mantra “always keep all software versions up-to-date” doesn’t always make sense for departments who simply don’t have the resources to cover the waterfront. That’s why prioritizing which patches to apply according to their severity rating in the Common Vulnerability Severity Scale (CVSS) has become a fallback for many admins.

Childs noted, however, that this approach is deeply flawed, and can lead to resources being spent on bugs that are unlikely to ever be exploited. That’s because there’s a host of critical information that the CVSS score doesn’t provide.

“All too often, enterprises look no further than the CVSS base core to determine patching priority,” he said. “But the CVSS doesn’t really look at exploitability, or whether a vulnerability is likely to be used in the wild. The CVSS doesn’t tell you if the if the bug exists in 15 systems or in 15 million systems. And it doesn’t say whether or not it’s in publicly accessible servers.”

He added, “And most importantly, it doesn’t say whether or not the bug is present in a system that’s critical to your specific enterprise.”

Thus, even though a bug might carry a critical rating of 10 out of 10 on the CVSS scale, it’s true impact may be much less concerning than that critical label would indicate.

To read the complete article, visit Dark Reading.