Patch Production & Responsible Disclosure – Follow On to WSJ Post

By Matthew Parcell ·

A recent article published on the Wall Street Journal online declares a “Broad New Hacking Attack” involving the ‘new’ malware threat, Zeus or zbot.  This threat is far from new, however, neither the malware nor the phenomenon.  In April of 2008, RSA issued an advisory about the threat.  It is simply another dashboard exploiting a different set of vulnerabilities.

The reality of the situation is that the current security controls in place for many companies are not going to adequately protect against this kind of threat. At a macro level, until industry standards demand rapid patch releases from vendors and corporate policies enforce more timely updates for their users, these botnet armies will continue to grow virtually unchecked.

Even with corporate patch management programs that enforce strong update policies, it is fundamentally a losing battle to try and stay ahead of the people crafting this malware by patching once a month.   Whether it’s Microsoft’s ‘patch Tuesday’ or Firefox’s semi-monthly security updates, the window of time in between patches leaves attackers too much room to craft new exploits to update the malware with.  Companies are limited by the patches released by vendors and the vendors in turn are limited by the vulnerabilities they are aware of.

In order to further facilitate the production of these patches, stronger incentives should exist for responsible vulnerability disclosure.  Rather than simply relying on community reports or vulnerability leaks, vulnerability disclosure should be rewarded monetarily.  If Microsoft is willing to offer a quarter of a million dollar rewardfor the arrest of the people that made Conficker, isn’t it reasonable to offer rewards for the responsible disclosure of these vulnerabilities before they reach the massively exploited botnet-army stage?  These patches are only useful, however, if corporate policies enforce regular updates.  It‘s the circle of life.

There are, obviously, steps that can be taken to mitigate the risk presented by these threats but those are covered in Jim’s post.