Compliance with industry standards as well as various government regulations also requires a robust servicing and patching strategy. Beyond compliance, you must understand the risk to your resources from poor servicing. To help with this effort, standards exist to help assess risk. However, vendors can manipulate these standards, which can lead to errors when enterprises attempt to accurately gauge risk. Over time, vendors reduced the clarity of language in their advisories to the point where plain language about a bug no longer exists, leaving network defenders to speculate what the real risk from a product may be.
There are occasions when vendors release patches that are nothing more than placebos – patches that make no code changes at all and leave administrators with a false sense of security. Similarly, vendors release incomplete patches that do not properly mitigate the vulnerability. Not only does this leave software in a vulnerable state after applying what should be a fix, it doubles the cost of patching, since now another patch must be applied to mitigate the risks incurred from applying the first patch and increases the risk of attack.
Our conclusions are based on disclosing over 9,500 vulnerabilities over 17 years. This talk provides examples of systemic problems with security patches and how those problems negatively impact enterprise security. We propose methods to incentivize vendors to improve their servicing habits, including alternative disclosure timelines for failed patches. We encourage others disclosing vulnerabilities to adopt similar timelines and for customers to prioritize purchasing based on how vendors impact their risk through servicing.