Skip to main content

Patch Production & Responsible Disclosure – Follow On to WSJ Post

February 22, 2010

A recent article published on the Wall Street Journal online declares a “Broad New Hacking Attack” involving the ‘new’ malware threat, Zeus or zbot. This threat is far from new, however, neither the malware nor the phenomenon. In April of 2008, RSA issued an advisory about the threat.  It is simply another dashboard exploiting a different set of vulnerabilities.

The reality of the situation is that the current security controls in place for many companies are not going to adequately protect against this kind of threat. At a macro level, until industry standards demand rapid patch releases from vendors and corporate policies enforce more timely updates for their users, these botnet armies will continue to grow virtually unchecked.

Even with corporate patch management programs that enforce strong update policies, it is fundamentally a losing battle to try and stay ahead of the people crafting this malware by patching once a month. Whether it’s Microsoft’s ‘patch Tuesday’ or Firefox’s semi-monthly security updates, the window of time in between patches leaves attackers too much room to craft new exploits to update the malware with. Companies are limited by the patches released by vendors and the vendors in turn are limited by the vulnerabilities they are aware of.

In order to further facilitate the production of these patches, stronger incentives should exist for responsible vulnerability disclosure. Rather than simply relying on community reports or vulnerability leaks, vulnerability disclosure should be rewarded monetarily. If Microsoft is willing to offer a quarter of a million dollar reward for the arrest of the people that made Conficker, isn’t it reasonable to offer rewards for the responsible disclosure of these vulnerabilities before they reach the massively exploited botnet-army stage? These patches are only useful, however, if corporate policies enforce regular updates.  It‘s the circle of life.

There are, obviously, steps that can be taken to mitigate the risk presented by these threats but those are covered in Jim’s post.

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.