Do Faster Patch Releases Help Security?

The problem is that like a person trying to use a bucket to bail water out of a sinking ship, the rate and scale of the problem can make even the fastest-acting individuals look inadequate.

According to Google’s Project Zero, a team of security analysts employed by the search giant with the goal of seeking out zero day vulnerabilities, developers are releasing patches faster than ever. Last year, vendors took an average of 52 days to issue patches that fixed security vulnerabilities. While many developers worked faster than that, this was nonetheless a notable improvement on the average of approximately 80 days seen three years ago. 

This 52 day average is within the 90-day disclosure deadline Google stipulates, referring to the length of time it will wait before disclosing the existence of the bug so as to allow it to be fixed. In 2021, just one single vulnerability exceeded Google’s 90-day deadline – although 14 percent required Google’s 14-day grace period. Nonetheless, it highlights that developers are working hard to plug vulnerabilities as soon as they rear their ugly heads – with many devs managing to release fixes considerably sooner than the 52 industry average.

Unfortunately, that doesn’t wholly solve the problem – which is one reason why organizations looking to improve their cyber security defenses should make use of tools like a Web Application Firewall (WAF) to protect against the damaging effects of vulnerabilities.

Closing the exploitation window

The reason for rushing to issue patches is, of course, because doing so closes the window of exploitability. Once a vulnerability has been discovered, it’s open season for attackers who can find ways to exploit it to their advantage. Like knowing that a certain house on a street has a non-functioning front door, thereby opening it up to would-be burglars, a vulnerable piece of software has no defense if malicious actors (in this case hackers) decide to target it. 

At their most damaging, these attacks may involve finding ways to exploit the targeted software’s vulnerabilities so as to allow the attacker to escalate their access privileges to levels akin to an administrator. This then allows them to perform any action that an administrator would be able to (albeit for evil, rather than for good), which may include (but not be limited to) installing and running malware, accessing and stealing sensitive data, and more.

The sooner that these vulnerabilities are plugged, the sooner users are protected against the vulnerabilities in question. Or, at least, that’s the theory. 

The two step process

In reality, plugging vulnerabilities is a two step process. First of all the developer must discover (or be informed of) the vulnerability and fix it, then make that patch available to users in the form of an over-the-air update or other distribution method. 

Secondly, the user must then download the patch and install it. While this second step sounds simple, it can actually be a sticking point for many organizations. If not enough people install a patch addressing a software vulnerability, cyber attackers will likely continue to target it, knowing that it can still be used to inflict damage.

For lots of organizations, the problem comes down to patch overload. With so many security vulnerabilities and resulting patches, they are likely faced with a never ending stream of updates to install. In some cases, this can involve taking vital systems temporarily offline during the installation phase. For oftentimes understaffed IT departments, patch management may seem like a 24/7 job simply to keep on top of the necessary updates.

To cope with this challenge, they can utilize resources like those published by the Department of Homeland Security’s U.S. Computer Emergency Readiness Team to not just stay on top of the current major vulnerabilities, but also to triage these according to seriousness and potential risk severity.

The power of virtual patching

One of the best investments many organizations make is adopting additional layers of protection – in the form of tools like virtual patching. Although its name makes this sounds like conventional software patching, in fact virtual patching refers to a series of rules that can help protect software by blocking attempts to exploit vulnerabilities, even in cases in which an official patch has not yet been issued. Cyber security tools of this kind involve the likes of Web Application Firewalls (WAF), Runtime Application Self-Protection (RASP), and others. While not a substitute for proper patches, virtual patching is therefore able to close security holes until patches can be applied.

Despite the best efforts of developers, software vulnerabilities are going to remain a challenge for the foreseeable future. But by playing it smart – and availing themselves of the right tools – organizations can fight back against the threat. It’s a battle well worth fighting – for the sake of your users, at the very least.