It has been known for a long time that software when released contains bugs. The nirvana is to release with no bugs at all, however to test every single use case is very unlikely if not impossible. There is always one constraint or another that stops you from testing every possible permutation of your software, and in my experience (other experiences may differ) it could be that there are so many possible permutations that testing every single one would mean the testing period would run into years – even given an increase in QA resources.
Amongst these bugs are vulnerabilities within software that are unknown to the vendor. These are called “Zero Day” vulnerabilities due to the fact that the programmer has had zero days to fix the issue and get a patch deployed, which means the vulnerability is out there and there is no fix currently available. Companies catch the vast majority of bugs, especially exploits, but it is inevitable that some will slip through the net, making zero day vulnerabilities a long-standing fact of software development.
The implications of Project Zero
Now, Google decided enough is enough and has taken action with its Project Zero, a small team of dedicated bug hunters headed by the former head of Google Chrome security. These experts are tasked with actively looking for zero day vulnerabilities in software. Once they find them, the clock starts and there is a 90 day deadline for the vendor in question to fix the vulnerability. After the 90 day countdown has elapsed, the vulnerability is made public along with the source code used to find it. If a fix is created earlier than 90 days Google will release the information sooner.
The complications that arise as a result of this are best explained by a quote from the 2015 annual security report from Cisco “Adversaries take the easiest path available when determining how and where their exploits will succeed.
They choose products that present more attack surface opportunities; those opportunities are generally created by the use of unpatched or out-dated software.”
Basically, because the vast majority of hackers exploit known vulnerabilities (please refer to a previous blog) and Google are announcing them to the public whether there is a fix or not, vendor patching is becoming more prolific than ever. Of course, vendors patching their own software is only part of the story. For a patch to effectively close a vulnerability it must also be deployed by those who own or use the relevant software. With various studies indicating that patching in a great deal of environments is less than regular, the flood gates are open for opportunistic hackers to take advantage of exploits being given to them on a silver platter.
A sure-fire way to make sure that the exploits that Google makes available don’t cause an increased risk of cyber attack, is to patch regularly. However with 12% of companies not even having a patching process in place, the indicators are that this will not necessarily be an easy task. What’s more, those that do have a patching process in place may not be completely patched regardless.
What this development highlights is the importance of understanding your environment well enough to be in a good position to remediate where you find risk. Typically, any risks you come across will be critical and will have been caused by security patches not being applied in an appropriate timescale or in some cases not at all.
This is where 1E technologies can really help. We have solutions that are designed to help you understand the risks that exist in your current environment and enable you to delve deeper into the information in order to understand where changes need to be made. Once empowered with this actionable data, 1E have the expertise and solutions to improve your patch coverage and patch deployment times, especially over limited bandwidth connections or when the machines that need to be patched are switched off.
To request a free trial of any of the 1E solutions or to find out how 1E can help you identify your current patching levels and how our products can help you with effective patching please contact us by email.