Faulty ‘placebo patches’ reveal holes in software-development practices

In addition to operating systems, applications, and embedded technologies, IT pros lately have had to add one more item to the lengthy list of things to patch: patches.

The Zero Day Initiative, a vendor-agnostic bug-bounty program begun in 2005 and since acquired by Trend Micro, recently addressed concerns of incomplete and ineffective patches by modifying its disclosure deadlines.

ZDI’s reduction of timelines, announced in August, suggests a greater urgency in addressing a software-development problem: everybody’s moving too fast.

For the sake of speed, software makers are abandoning an ongoing design approach that identifies and reviews breaks throughout a system’s life cycle, according to one member of the Initiative.

“Companies aren’t really looking to support their product after release. They’d rather put their engineering resources on building ‘V next,’ whatever that is, rather than maintaining and correcting what they’d already released,” said Dustin Childs, senior communications manager for the Zero Day Initiative.

The organization announced at Black Hat that it would change its disclosure deadlines for bug reports that result from patchy patches.

“Over the last couple of years, we’ve definitely seen a decrease in quality, to the point that now 10%–20% of the bugs we purchase at ZDI are the result of faulty or otherwise incomplete patches,” Childs told IT Brew.

Instead of ZDI’s standard 120-day disclosure timeline for most vulnerabilities, critical-rated cases, where exploitation is detected or expected, now have a 30-day timeframe, “which means they need to produce a fix within 30 days, or we will go public with some of the information,” Childs said. (Learn more about the tiered deadlines.)

A variety of vendors have deployed incomplete or otherwise faulty updates. In October 2021, VMware released an incomplete, bypass-able patch. May 2021 saw Dell’s five driver fixes still open Windows-kernel level attacks. The list goes on. (See: Cisco, SonicWall, Google, and Apache.)

“We wanted to show that it wasn’t just Adobe or Microsoft,” Childs told IT Brew. “This is an industry-wide problem.”

Development cycles used to be much more methodical, said Jerry Murphy, SVP of research and consulting at Nemertes, and would involve testing of unit, system-integration, and stress.

Rapid software development is focused on quickly adding new features, including patches, said Murphy—at the expense of full-quality assurance.

People are thinking, “We can’t wait for this full software testing life cycle. People are hurting now. We need to put that fix out now,” Murphy told IT Brew.“It’s a trade-off where I’m getting you a feature or function quicker. But the risk to that is, I haven’t thoroughly tested it.”

And there’s a shortage of testers. A 2021 survey from the software-development company Jetbrains found that 44% of the 31,743 surveyed said they have fewer than one QA engineer per 10 developers.

“There’s been a real shift away from having a dedicated testing team in a lot of places,” said Childs. “And beyond just having good testers, especially when it comes to security patches, you need to have people who understand the security problem that’s being called out.”—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @BillyHurls on Twitter.