Ad End 1 February 2024
Ad Ends 13 January 2025
Ad End 26 February 2025
ad End 25 April 2025
Ad Ends 20 January 2025
Ad expire at 5 August 2024
banner Expire 25 April 2025
What's new
banner Expire 15 January 2025
banner Expire 20 October 2024
UniCvv
casino
swipe store
adv exp at 23 August 2024
Carding.pw carding forum
BidenCash Shop
Kfc CLub

File_closed07

TRUSTED VERIFIED SELLER
Staff member
Joined
Jun 13, 2020
Messages
7,738
Reaction score
922
Points
212
Awards
2
  • trusted user
  • Rich User
A quarter of zero-day exploits discovered last year could have been avoided if vendors had taken a more methodical and comprehensive approach to patching, according to Google.

Project Zero security researcher, Maddie Stone, argued in a blog post yesterday that 25% of zero-days spotted in 2020 were closely related to previously publicly disclosed vulnerabilities.

This means that incomplete patches issued by vendors are effectively allowing attackers to craft follow-up zero-days more easily, in some cases simply by changing a line or two of code.

“A correct patch is one that fixes a bug with complete accuracy, meaning the patch no longer allows any exploitation of the vulnerability. A comprehensive patch applies that fix everywhere that it needs to be applied, covering all of the variants. We consider a patch to be complete only when it is both correct and comprehensive,” Stone explained.

“When exploiting a single vulnerability or bug, there are often multiple ways to trigger the vulnerability, or multiple paths to access it. Many times we’re seeing vendors block only the path that is shown in the proof-of-concept or exploit sample, rather than fixing the vulnerability as a whole, which would block all of the paths. Similarly, security researchers are often reporting bugs without following up on how the patch works and exploring related attacks.”

She detailed six of the 24 zero-day, browser-based exploits detected last year which were closely related to previous publicly disclosed bugs, and a further three vulnerabilities from 2020 and 2019 which were exploited in the wild but not properly fixed.

To improve the situation, vendors will need to focus on investment, prioritization and planning, Stone argued.

“Exactly what investments are likely required depends on each unique situation, but we see some common themes around staffing/resourcing, incentive structures, process maturity, automation/testing and partnerships,” she noted.

“While the idea that incomplete patches are making it easier for attackers to exploit zero-days may be uncomfortable, the converse of this conclusion can give us hope. If more vulnerabilities are patched correctly and comprehensively, it will be harder for attackers to exploit zero-days.
 
Ad End 1 February 2024
Top