IBM, HP, Microsoft lead patching laggards, says bug buyer
ZDI's six-month disclosure deadline results in 21 'zero-day' advisories for those firms' software
Computerworld - IBM, Hewlett-Packard (HP) and Microsoft led the list of companies that failed to patch vulnerabilities within six months of being notified by the world's biggest bug bounty program, according to HP TippingPoint's Zero-Day Initiative (ZDI).
During 2011, TippingPoint -- a division of HP -- released 29 "zero-day" advisories that provided information on vulnerabilities it had reported to vendors six or more months earlier. Ten of the 29 were bugs in IBM software, six in HP's own software and five were in Microsoft products.
Other companies on the list of late-to-patch vendors included CA, Cisco and EMC.
TippingPoint, which may be best known as the sponsor of the annual Pwn2Own hacking contest, buys vulnerabilities from independent security researchers, privately reports them to vendors and then uses the information to craft defenses for its own line of security appliances.
In mid-2010, TippingPoint announced that if a vendor had not patched a reported vulnerability within six months it would go public with an advisory that included "limited details" of the bug.
TippingPoint released its first zero-day advisory Feb. 7, 2011.
Last year, TippingPoint said it was using the six-month deadline to push software developers to release patches faster. "By releasing some information, it puts the spotlight on vendors," said Aaron Portnoy, the leader of TippingPoint's security research team, in an interview at the time.
Today, Portnoy and Derek Brown, a ZDI researcher, said that the program had worked, more or less.
"What's come out of this is that we've seen a better response," said Brown. "If vendors don't show due diligence, and after working with them it doesn't look like they're making a strong commitment to patching, we release the information as a zero-day advisory."
"It's not just the actual impact of the vulnerabilities, but the perceived impact," argued Portnoy. "It puts pressure on the vendor to patch their product because the number of unpatched vulnerabilities can change the perception of the product's security."
Portnoy also cited some strong success stories.
"Some security teams thanked us for dropping a zero-day [advisory] on them," Portnoy said. "They were able to use that to make the business case that they should have more resources."
Of the five Office vulnerabilities that ZDI disclosed on Feb. 7, 2011, Microsoft patched all five in its April 2011 bulletins of MS11-021, MS11-022 and MS11-023. ZDI had handed Microsoft those vulnerabilities in three batches on June 30, July 20 and Aug. 25, 2010.
IBM and HP never patched the 16 vulnerabilities, some reported by ZDI two or even three years earlier, that were disclosed in the bounty-paying program's zero-day advisories.
Portnoy and Brown also credited the pressure of a six-month deadline for ZDI's record-setting year. So far during 2011, TippingPoint's cadre of independent researchers had generated 350 vulnerability reports, up 16% from the 301 of 2010, said Brown.
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Ponemon 2014 SSH Security Vulnerability Report According to research by the Ponemon Institute, 3 out of 4 enterprises have no security controls in place for SSH which leaves organizations...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!