IBM, HP, Microsoft lead patching laggards, says bug buyer
ZDI's six-month disclosure deadline results in 21 'zero-day' advisories for those firms' software
Computerworld - IBM, Hewlett-Packard (HP) and Microsoft led the list of companies that failed to patch vulnerabilities within six months of being notified by the world's biggest bug bounty program, according to HP TippingPoint's Zero-Day Initiative (ZDI).
During 2011, TippingPoint -- a division of HP -- released 29 "zero-day" advisories that provided information on vulnerabilities it had reported to vendors six or more months earlier. Ten of the 29 were bugs in IBM software, six in HP's own software and five were in Microsoft products.
Other companies on the list of late-to-patch vendors included CA, Cisco and EMC.
TippingPoint, which may be best known as the sponsor of the annual Pwn2Own hacking contest, buys vulnerabilities from independent security researchers, privately reports them to vendors and then uses the information to craft defenses for its own line of security appliances.
In mid-2010, TippingPoint announced that if a vendor had not patched a reported vulnerability within six months it would go public with an advisory that included "limited details" of the bug.
TippingPoint released its first zero-day advisory Feb. 7, 2011.
Last year, TippingPoint said it was using the six-month deadline to push software developers to release patches faster. "By releasing some information, it puts the spotlight on vendors," said Aaron Portnoy, the leader of TippingPoint's security research team, in an interview at the time.
Today, Portnoy and Derek Brown, a ZDI researcher, said that the program had worked, more or less.
"What's come out of this is that we've seen a better response," said Brown. "If vendors don't show due diligence, and after working with them it doesn't look like they're making a strong commitment to patching, we release the information as a zero-day advisory."
"It's not just the actual impact of the vulnerabilities, but the perceived impact," argued Portnoy. "It puts pressure on the vendor to patch their product because the number of unpatched vulnerabilities can change the perception of the product's security."
Portnoy also cited some strong success stories.
"Some security teams thanked us for dropping a zero-day [advisory] on them," Portnoy said. "They were able to use that to make the business case that they should have more resources."
Of the five Office vulnerabilities that ZDI disclosed on Feb. 7, 2011, Microsoft patched all five in its April 2011 bulletins of MS11-021, MS11-022 and MS11-023. ZDI had handed Microsoft those vulnerabilities in three batches on June 30, July 20 and Aug. 25, 2010.
IBM and HP never patched the 16 vulnerabilities, some reported by ZDI two or even three years earlier, that were disclosed in the bounty-paying program's zero-day advisories.
Portnoy and Brown also credited the pressure of a six-month deadline for ZDI's record-setting year. So far during 2011, TippingPoint's cadre of independent researchers had generated 350 vulnerability reports, up 16% from the 301 of 2010, said Brown.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Neustar 2014 DDoS Attacks and Impact Report For the third consecutive year, Neustar surveyed hundreds of companies on distributed denial of service (DDoS) attacks. The survey reveals evidence that the...
- Acxiom Case Study This case study, which focuses on Acxiom, explores how the company was able to secure employee data, reduce migration costs and boost productivity...
- Windows® XP Migration: Protect and Secure Critical Data With the end of the Microsoft Windows XP operating system's lifecycle on April 8, 2014, businesses are faced with the decision to migrate...
- Enhancing Application Protection and Recovery with a Modern Approach to Snapshot Management This CommVault Business Value and Technology White Paper explains how Simpana IntelliSnap® Recovery Manager can make your application recovery fast and reliable.
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts