Calculating Risk in the Era of Obscurity: Reading Between the Lines of Security Advisories

Presented at Black Hat USA 2022, Aug. 11, 2022, 11:20 a.m. (40 minutes)

Compliance with industry standards as well as various government regulations also requires a robust servicing and patching strategy. Beyond compliance, you must understand the risk to your resources from poor servicing. To help with this effort, standards exist to help assess risk. However, vendors can manipulate these standards, which can lead to errors when enterprises attempt to accurately gauge risk. Over time, vendors reduced the clarity of language in their advisories to the point where plain language about a bug no longer exists, leaving network defenders to speculate what the real risk from a product may be.

There are occasions when vendors release patches that are nothing more than placebos – patches that make no code changes at all and leave administrators with a false sense of security. Similarly, vendors release incomplete patches that do not properly mitigate the vulnerability. Not only does this leave software in a vulnerable state after applying what should be a fix, it doubles the cost of patching, since now another patch must be applied to mitigate the risks incurred from applying the first patch and increases the risk of attack.

Our conclusions are based on disclosing over 9,500 vulnerabilities over 17 years. This talk provides examples of systemic problems with security patches and how those problems negatively impact enterprise security. We propose methods to incentivize vendors to improve their servicing habits, including alternative disclosure timelines for failed patches. We encourage others disclosing vulnerabilities to adopt similar timelines and for customers to prioritize purchasing based on how vendors impact their risk through servicing.

Presenters:

• Dustin Childs - Sr. Communications Manager, Trend Micro Zero Day Initiative
  Dustin C. Childs is a part of Trend Micro's Zero Day Initiative (ZDI), which is the world's largest vendor agnostic bug bounty program. Dustin began his infosec journey in the late 1990's at the Air Force Information Warfare Center. He then transitioned from active duty to defense contractor. Following this role, Mr. Childs worked in the Microsoft Trustworthy Computing group, where he served as a case manager in the Microsoft Security Response Center (MSRC) with a focus on addressing vulnerabilities in the Windows operating system and in Microsoft's developer tools. In his current role, Mr. Childs creates, implements, and oversees communications programs, both internal and external, that promote the work of ZDI and its researchers.
• Brian Gorenc - Senior Director, Trend Micro Zero Day Initiative
  Brian Gorenc is the Sr. Director of Vulnerability Research with Trend Micro. In this role, Gorenc leads the Zero Day Initiative (ZDI) program, which represents the world's largest vendor-agnostic bug bounty program. His focus includes analyzing and performing root-cause analysis on hundreds of zero-day vulnerabilities submitted by ZDI researchers from around the world. The ZDI works to expose and remediate weaknesses in the world's most popular software. Brian is also responsible for organizing and adjudicating the ever-popular Pwn2Own hacking competitions.

Links:

• https://www.blackhat.com/us-22/briefings/schedule/#calculating-risk-in-the-era-of-obscurity-reading-between-the-lines-of-security-advisories-26874

Similar Presentations:

• DeepSec 2015 „DeepSec No. 9“ / Yes, Now YOU Can Patch That Vulnerability Too!
• TROOPERS18 (2018) / SAP Security patches; The importance, difficulties and solutions!
• Black Hat USA 2016 / Adaptive Kernel Live Patching: An Open Collaborative Effort to Ameliorate Android N-Day Root Exploits