IT Vendors Slower to Patch

Tuesday, January 10, 2012 @ 04:01 PM gHale

IBM, Hewlett-Packard and Microsoft top the list of companies that failed to patch vulnerabilities after notification from the world’s largest bug-bounty program, according to the TippingPoint Zero-Day Initiative (ZDI).

During 2011, TippingPoint, which is a division of HP, released 29 “zero-day” advisories about vulnerabilities the company reported to IT vendors six or more months earlier. Ten of the 29 were bugs in IBM software, six were in HP applications and five, later patched, were in Microsoft products.

OpenSSL Offering Patches 6 Flaws
Google Looks at HTTPS Security
Vulnerability Leader: Google
Patched Adobe Still has Victims

Other vendors on the late-to-patch list included CA, Cisco and EMC.

TippingPoint, which sponsors the Pwn2Own hacking contest, buys information about vulnerabilities from independent security researchers and privately reports them to vendors. It uses the information to craft defenses for its own line of security appliances.

In mid-2010, TippingPoint said it would go public with advisories that included “limited details” of reported vulnerabilities if vendors didn’t patch them within six months.

TippingPoint released its first zero-day advisory Feb. 7, 2011.

Last year, TippingPoint said it was using the six-month deadline to push software developers to release patches faster. “By releasing some information, it puts the spotlight on vendors,” said Aaron Portnoy, the leader of TippingPoint’s security research team.

Portnoy and Derek Brown, a ZDI researcher, said the pressure has worked, more or less. “We’ve seen a better response,” Brown said. “If it doesn’t look like they’re making a commitment to patching, we release the information.”

“It puts pressure on the vendors to patch their products, because the number of unpatched vulnerabilities can change the perception of the product’s security,” Portnoy said.

As of late December, TippingPoint’s independent researchers generated 350 vulnerability reports, up 16% from 301 a year earlier.

Leave a Reply

You must be logged in to post a comment.