- ‘잘 설계된 프롬프트라도 이식성 떨어져’···IBM, 프로그래밍하는 ‘생성형 컴퓨팅’이 대안
- Google just gave Gmail a major AI upgrade, and it solves a big problem for me
- Your Google Gemini assistant is getting 8 useful features - here's the update log
- I recommend this budget OnePlus phone over most low-cost devices - especially at $70 off
- Save $750 on the HP Envy Laptop 17 when you buy directly from HP
Google: Incomplete Patches Caused Quarter of Zero-Days in 2020
A quarter of zero-day exploits discovered last year could have been avoided if vendors had taken a more methodical and comprehensive approach to patching, according to Google.
Project Zero security researcher, Maddie Stone, argued in a blog post yesterday that 25% of zero-days spotted in 2020 were closely related to previously publicly disclosed vulnerabilities.
This means that incomplete patches issued by vendors are effectively allowing attackers to craft follow-up zero-days more easily, in some cases simply by changing a line or two of code.
“A correct patch is one that fixes a bug with complete accuracy, meaning the patch no longer allows any exploitation of the vulnerability. A comprehensive patch applies that fix everywhere that it needs to be applied, covering all of the variants. We consider a patch to be complete only when it is both correct and comprehensive,” Stone explained.
“When exploiting a single vulnerability or bug, there are often multiple ways to trigger the vulnerability, or multiple paths to access it. Many times we’re seeing vendors block only the path that is shown in the proof-of-concept or exploit sample, rather than fixing the vulnerability as a whole, which would block all of the paths. Similarly, security researchers are often reporting bugs without following up on how the patch works and exploring related attacks.”
She detailed six of the 24 zero-day, browser-based exploits detected last year which were closely related to previous publicly disclosed bugs, and a further three vulnerabilities from 2020 and 2019 which were exploited in the wild but not properly fixed.
To improve the situation, vendors will need to focus on investment, prioritization and planning, Stone argued.
“Exactly what investments are likely required depends on each unique situation, but we see some common themes around staffing/resourcing, incentive structures, process maturity, automation/testing and partnerships,” she noted.
“While the idea that incomplete patches are making it easier for attackers to exploit zero-days may be uncomfortable, the converse of this conclusion can give us hope. If more vulnerabilities are patched correctly and comprehensively, it will be harder for attackers to exploit zero-days.”
