IBM, HP, Microsoft lead patching laggards, says bug buyer

ZDI's six-month disclosure deadline results in 21 "zero-day" advisories for those firms' software

IBM, Hewlett-Packard (HP) and Microsoft led the list of companies that failed to patch vulnerabilities within six months of being notified by the world's biggest bug bounty program, according to HP TippingPoint's Zero-Day Initiative (ZDI).

During 2011, TippingPoint -- a division of HP -- released 29 "zero-day" advisories that provided information on vulnerabilities it had reported to vendors six or more months earlier. Ten of the 29 were bugs in IBM software, six in HP's own software and five were in Microsoft products.

Other companies on the list of late-to-patch vendors included CA, Cisco and EMC.

TippingPoint, which may be best known as the sponsor of the annual Pwn2Own hacking contest, buys vulnerabilities from independent security researchers, privately reports them to vendors and then uses the information to craft defenses for its own line of security appliances.

In mid-2010, TippingPoint announced that if a vendor had not patched a reported vulnerability within six months it would go public with an advisory that included "limited details" of the bug.

TippingPoint released its first zero-day advisory Feb. 7, 2011.

Last year, TippingPoint said it was using the six-month deadline to push software developers to release patches faster. "By releasing some information, it puts the spotlight on vendors," said Aaron Portnoy, the leader of TippingPoint's security research team, in an interview at the time.

Today, Portnoy and Derek Brown, a ZDI researcher, said that the program had worked, more or less.

"What's come out of this is that we've seen a better response," said Brown. "If vendors don't show due diligence, and after working with them it doesn't look like they're making a strong commitment to patching, we release the information as a zero-day advisory."

"It's not just the actual impact of the vulnerabilities, but the perceived impact," argued Portnoy. "It puts pressure on the vendor to patch their product because the number of unpatched vulnerabilities can change the perception of the product's security."

Portnoy also cited some strong success stories.

"Some security teams thanked us for dropping a zero-day [advisory] on them," Portnoy said. "They were able to use that to make the business case that they should have more resources."

Of the five Office vulnerabilities that ZDI disclosed on Feb. 7, 2011, Microsoft patched all five in its April 2011 bulletins of MS11-021 , MS11-022 and MS11-023 . ZDI had handed Microsoft those vulnerabilities in three batches on June 30, July 20 and Aug. 25, 2010.

IBM and HP never patched the 16 vulnerabilities, some reported by ZDI two or even three years earlier, that were disclosed in the bounty-paying program's zero-day advisories.

Portnoy and Brown also credited the pressure of a six-month deadline for ZDI's record-setting year. So far during 2011, TippingPoint's cadre of independent researchers had generated 350 vulnerability reports, up 16% from the 301 of 2010, said Brown.

"The [six-month deadline] policy helped create the numbers of this year," Brown said.

Among the most interesting trends in bugs bought this year, ZDI said vulnerabilities in industrial control systems -- dubbed SCADA for "supervisory control and data acquisition" -- topped the list.

ZDI acquired six SCADA vulnerabilities in 2011 that affected software created by General Electric, Honeywell and InduSoft.

"We have some pretty serious [SCADA] bugs," said Brown. "And so far, our experience with the vendors has been great."

ZDI has not released any zero-day advisories for SCADA bugs it's obtained, but Portnoy said that TippingPoint was not above dropping one if a patch wasn't aggressively pursued.

He attributed the interest in SCADA vulnerabilities to last year's Stuxnet, the worm most experts believe was crafted to sabotage Iran's nuclear fuel enrichment program by damaging centrifuges at one or more facilities.

TippingPoint is working with ICS-CERT (Industrial Control Systems Cyber Emergency Response Team), part of US-CERT, which in turn is within the Department of Homeland Security, to coordinate the disclosure of the SCADA bugs it's obtained.

In other news, Portnoy confirmed that TippingPoint and ZDI would again sponsor the Pwn2Own hacking contest , slated to run in early March 2012 at CanSecWest in Vancouver, British Columbia.

Portnoy said that ZDI would "step up the stakes" of the contest by modifying both the format of the contest and the prizes awarded. He declined to reveal more information about 2012's Pwn2Own, but promised to provide more information to researchers early next year.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , on Google+ or subscribe to Gregg's RSS feed . His e-mail address is .

See more articles by Gregg Keizer .

Read more about security in Computerworld's Security Topic Center.

Copyright © 2011 IDG Communications, Inc.

Bing’s AI chatbot came to work for me. I had to fire it.
Shop Tech Products at Amazon