IBM, HP, Microsoft lead patching laggards, says bug buyer
ZDI's six-month disclosure deadline results in 21 'zero-day' advisories for those firms' software
Computerworld - IBM, Hewlett-Packard (HP) and Microsoft led the list of companies that failed to patch vulnerabilities within six months of being notified by the world's biggest bug bounty program, according to HP TippingPoint's Zero-Day Initiative (ZDI).
During 2011, TippingPoint -- a division of HP -- released 29 "zero-day" advisories that provided information on vulnerabilities it had reported to vendors six or more months earlier. Ten of the 29 were bugs in IBM software, six in HP's own software and five were in Microsoft products.
Other companies on the list of late-to-patch vendors included CA, Cisco and EMC.
TippingPoint, which may be best known as the sponsor of the annual Pwn2Own hacking contest, buys vulnerabilities from independent security researchers, privately reports them to vendors and then uses the information to craft defenses for its own line of security appliances.
In mid-2010, TippingPoint announced that if a vendor had not patched a reported vulnerability within six months it would go public with an advisory that included "limited details" of the bug.
TippingPoint released its first zero-day advisory Feb. 7, 2011.
Last year, TippingPoint said it was using the six-month deadline to push software developers to release patches faster. "By releasing some information, it puts the spotlight on vendors," said Aaron Portnoy, the leader of TippingPoint's security research team, in an interview at the time.
Today, Portnoy and Derek Brown, a ZDI researcher, said that the program had worked, more or less.
"What's come out of this is that we've seen a better response," said Brown. "If vendors don't show due diligence, and after working with them it doesn't look like they're making a strong commitment to patching, we release the information as a zero-day advisory."
"It's not just the actual impact of the vulnerabilities, but the perceived impact," argued Portnoy. "It puts pressure on the vendor to patch their product because the number of unpatched vulnerabilities can change the perception of the product's security."
Portnoy also cited some strong success stories.
"Some security teams thanked us for dropping a zero-day [advisory] on them," Portnoy said. "They were able to use that to make the business case that they should have more resources."
Of the five Office vulnerabilities that ZDI disclosed on Feb. 7, 2011, Microsoft patched all five in its April 2011 bulletins of MS11-021, MS11-022 and MS11-023. ZDI had handed Microsoft those vulnerabilities in three batches on June 30, July 20 and Aug. 25, 2010.
IBM and HP never patched the 16 vulnerabilities, some reported by ZDI two or even three years earlier, that were disclosed in the bounty-paying program's zero-day advisories.
Portnoy and Brown also credited the pressure of a six-month deadline for ZDI's record-setting year. So far during 2011, TippingPoint's cadre of independent researchers had generated 350 vulnerability reports, up 16% from the 301 of 2010, said Brown.
- Top 10 Reasons to Strengthen Information Security with Desktop Virtualization Regain control and reduce risk without sacrificing business productivity and growth
- Preventing Sophisticated Attacks: Anti-Evasion & Advanced Evasion Techniques McAfee Next Generation Firewall applies sophisticated analysis techniques specifically to detect advanced evasion techniques (AET).
- The Security Industry's Dirty Little Secret The debate over advanced evasion techniques (AETs) This report summarizes the findings of a McAfee commissioned research group to determine the level of understanding IT security professionals have about AETs...
- Demand More, Get the Most from the Move to a Next-Generation Firewall Beyond the basics in a next generation firewall, to protect your investment you should demand other valuable features: intrusion prevention, contextual rules, advanced...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!