Security Research
Showing results for 
Search instead for 
Do you mean 

Oh no! Not another security patch Tuesday blog post!

Brian_Gorenc on ‎09-10-2013 12:33 PM

It’s that day of the month again when security purveyors trundle out their wares and hawk their opinions and advice regarding Microsoft’s latest round of security patches. This month is no different. Conducting a search on ‘patch Tuesday’ reveals a wealth of information and advice about this month’s round of fresh vulnerabilities. You will also find advice on how to prioritize your response.

 

Our advice on this matter is pretty straightforward – patch now. We recommend that you read the advisories, understand the risks the reveal of these vulnerabilities pose for you and/or your organization and act accordingly. Don’t forget that the good guys aren’t the only ones avidly awaiting the release of this information each month. But that’s not what this post is really about.

 

I recently started working at HP Security Research, including the Zero Day Initiative (ZDI) team, after leaving Microsoft. As such, I find myself looking at “Patch Tuesday” from quite a different perspective now. Have you ever wondered where the research comes from that uncovers the vulnerabilities that get patched? ZDI researchers discover about half of all vulnerabilities Microsoft patches, including the large majority of the critical ones. This month is no different. Of the 14 critical CVEs (“[vulns] whose exploitation could allow code execution without user interaction”) being patched this month, ZDI researchers discovered and responsibly disclosed 10 of them, leading to these vulnerabilities being addressed by Microsoft and making the ecosystem safer for everyone. Not a bad result!

 

You know, if we look back at 2013 so far, we can see that ZDI researchers have been consistently fighting the good fight to uncover vulnerabilities and effectively take them off the market for the ne’er-do-wells. 

 

 

In case you haven’t heard of ZDI, it’s a bug bounty program that rewards security researchers for responsibly disclosing vulnerabilities in software, from any vendor. Once vulnerabilities have been reported and verified, ZDI works with vendors to ensure that these vulnerabilities are disclosed in a secure fashion so that they can be addressed. This improves the security of software overall, and helps to eliminate opportunities for exploitation.

 

It’s not just Microsoft that gets attention from ZDI researchers –our researchers are working to uncover vulnerabilities in all different kinds of software from lots of different vendors – including HP. If you’re interested in learning more about the work of ZDI and the resulting hardening of popular software, you can find our published advisories here.

 

So, yes, this was yet another Patch Tuesday post from a security software company.  But for ZDI, Patch Tuesday is one of the best days of the month – a time when we get to see the work of our researchers make an impact in an obvious way—and that’s pretty satisfying.

 

Patch now, patch often, stay safe.           


Heather Goudey
HP Security Research

0 Kudos
About the Author

Brian_Gorenc

Labels
Events
Each Month in 2016
Online
Software Expert Days - 2016
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
Sep 30
Seattle, WA
OpenStack Days Seattle
OpenStack Days Seattle, September 30, is the largest gathering of OpenStack users and prospective users in the Pacific Northwest region.
Read more
View all