0 day patch
play

0-Day Patch Exposing vendors (in)security performance BlackHat - PowerPoint PPT Presentation

Jan 10, 2024 •234 likes •414 views

BLACKHAT Europe 2008 0-Day Patch 0-Day Patch Exposing vendors (in)security performance BlackHat Europe 2008 Amsterdam Stefan Frei + Bernhard Tellenbach Communication Systems Group ETH Zurich Switzerland http://www.csg.ethz.ch

  1. BLACKHAT Europe 2008 – 0-Day Patch 0-Day Patch Exposing vendors (in)security performance BlackHat Europe 2008 – Amsterdam Stefan Frei + Bernhard Tellenbach Communication Systems Group ETH Zurich – Switzerland http://www.csg.ethz.ch http://www.techzoom.net/risk 0-Day Patch: Exposing Vendors (In)Security Performance 1 Stefan Frei & Bernhard Tellenbach, BlackHat Europe 2008

  2. Evolution of the Security Ecosystem BLACKHAT Europe 2008 – 0-Day Patch � What is the performance of software vendors? � How many patches available at 0-Day? � Does responsible disclosure really work? � Global trends vs. vendor specific issues 0-Day Patch: Exposing Vendors (In)Security Performance 2 Stefan Frei & Bernhard Tellenbach, BlackHat Europe 2008

  3. What is a 0-Day Patch? BLACKHAT Europe 2008 – 0-Day Patch � Lifecycle of a vulnerability - exposure time Non-0-Day Patch 0-Day Patch 0-Day Patch: Exposing Vendors (In)Security Performance 3 Stefan Frei & Bernhard Tellenbach, BlackHat Europe 2008

  4. What is the Disclosure-Date? BLACKHAT Europe 2008 – 0-Day Patch Our requirements: � Vulnerability information is freely available to public � Disclosed by a trusted and independent source � Vulnerability is analyzed and rated by experts Disclosure-Date of a vulnerability: Date of the first advisory issued by a trusted and independent source 0-Day Patch: Exposing Vendors (In)Security Performance 4 Stefan Frei & Bernhard Tellenbach, BlackHat Europe 2008

  5. Data Sources BLACKHAT Europe 2008 – 0-Day Patch 0-Day Patch: Exposing Vendors (In)Security Performance 5 Stefan Frei & Bernhard Tellenbach, BlackHat Europe 2008

  6. 0-Day patch: Overall performance BLACKHAT Europe 2008 – 0-Day Patch Y-Axis: Interpretation of plots Fraction of � 0-Day patch rate since 2002 vulnerabilities patched in less than: � For High and Medium risk 1 day (0-day) vulnerabilities patched till Dec 2007 30 days � Sliding window, 360 days 90 days 180 days � Green (0-day patch) measures after disclosure share of the responsible disclosure process X-Axis: time (years) � Blue+Red measure the performance of vendor to produce # Vulnerabilities a patch in 30 or 90 days patched between 2002-2008 � Grey, do we ever get a patch? Apple: 738 (ever = in less than 180 days) Microsoft: 658 0-Day Patch: Exposing Vendors (In)Security Performance 6 Stefan Frei & Bernhard Tellenbach, BlackHat Europe 2008

  7. 0-Day Patch: Microsoft BLACKHAT Europe 2008 – 0-Day Patch � 0-Day patch rate between 40-80%, huge variation within 5 years � Correlation with development of new OS or service pack (next slide) 0-Day Patch: Exposing Vendors (In)Security Performance 7 Stefan Frei & Bernhard Tellenbach, BlackHat Europe 2008

  8. 0-Day Patch: Microsoft BLACKHAT Europe 2008 – 0-Day Patch WinSrv 2003 R2 WinSrv 2003 SP2 (2005-12-05) (2007-03-13) WinXP SP1 WinSrv 2003 WinXP SP2 WinSrv 2003 SP1 Win Vista (2002-09-09) (2003-04-24) (2004-08-06) (2005-03-30) (2007-01-30) 0-Day Patch: Exposing Vendors (In)Security Performance 8 Stefan Frei & Bernhard Tellenbach, BlackHat Europe 2008

  9. # of Unpatched Vulnerabilities: Microsoft BLACKHAT Europe 2008 – 0-Day Patch Win Server 2003 SP2 Win Server 2003 SP1 (March 13, 2007) (March 30, 2005) Win Server 2003 R2 Win Server 2003 Y-Axis: (December 6, 2005) (April 24, 2003) Number of unpatched vulnerabilities X-Axis: time (years) Win Vista WinXP SP1 WinXP SP2 (January, 30, 2007) (September 9, 2002) (August 6, 2004) � Evolution of the number of unpatched vulnerabilities at a certain date 0-Day Patch: Exposing Vendors (In)Security Performance 9 Stefan Frei & Bernhard Tellenbach, BlackHat Europe 2008

  10. 0-Day Patch: Apple BLACKHAT Europe 2008 – 0-Day Patch � 0-Day patch rate between 0-70%, slow start � Coordinated disclosure took-off no earlier than end 2003 0-Day Patch: Exposing Vendors (In)Security Performance 10 Stefan Frei & Bernhard Tellenbach, BlackHat Europe 2008

  11. 0-Day Patch: Apple BLACKHAT Europe 2008 – 0-Day Patch OS X 10.2 Jaguar OS X 10.3 Panther OS X 10.4 Tiger iPhone OS X 10.5 Leopard (2002-08-02) (2003-10-24) (2005-04-29) (2007-06-29) (2007-10-26) 0-Day Patch: Exposing Vendors (In)Security Performance 11 Stefan Frei & Bernhard Tellenbach, BlackHat Europe 2008

  12. # Unpatched Vulnerabilities: Apple BLACKHAT Europe 2008 – 0-Day Patch Y-Axis: Apple i-Phone release (USA) Number of unpatched (June 29, 2007) vulnerabilities X-Axis: time (years) OSX 10.3 “Panther“ OSX 10.5 “Leopard“ (October 23, 2003) (October 26, 2007) delayed due to i-Phone OSX 10.4 “Tiger“ (April 29, 2005) � Evolution of the number of unpatched vulnerabilities at a certain date 0-Day Patch: Exposing Vendors (In)Security Performance 12 Stefan Frei & Bernhard Tellenbach, BlackHat Europe 2008

  13. High- and Medium Risk Patches: Apple vs. Microsoft BLACKHAT Europe 2008 – 0-Day Patch Apple Y-Axis: Fraction of vulnerabilities patched in less than: 1 day (0-day) 30 days 90 days 180 days Microsoft X-Axis: time (years) # Vulnerabilities Apple: 738 Microsoft: 658 0-Day Patch: Exposing Vendors (In)Security Performance 13 Stefan Frei & Bernhard Tellenbach, BlackHat Europe 2008

  14. #Unpatched Vulnerabilities: Apple vs. Microsoft BLACKHAT Europe 2008 – 0-Day Patch Apple Y-Axis: Number of unpatched vulnerabilities 20 X-Axis: time (years) # Unpatched Microsoft Vulnerabilities 20 (Average) Apple: increasing Microsoft: stable 0-Day Patch: Exposing Vendors (In)Security Performance 14 Stefan Frei & Bernhard Tellenbach, BlackHat Europe 2008

  15. What does this mean? BLACKHAT Europe 2008 – 0-Day Patch � High and medium risk � Coordinated disclosure process is either at a high level (MS) or has increased considerably (Apple) � Fraction of vulnerabilities with 0-day patch is both surprisingly high and shockingly low over last 5 years � Service pack and OS development binds (security) resources � Number of concurrent unpatched vulnerabilities � Microsoft: Remains in the same range (impacted by software lifecycle > devel. resources) � Apple: trend shows increasing number (to few resources to cope with side-effects of increased popularity of their products? ) 0-Day Patch: Exposing Vendors (In)Security Performance 15 Stefan Frei & Bernhard Tellenbach, BlackHat Europe 2008

  16. Conclusion BLACKHAT Europe 2008 – 0-Day Patch � Introduction of 0-day patch as viable metric to measure the security processes of vendors � Metric based on publicly available data � First analysis of the 0-day (in)security performance of software vendors at this scale � “Unbiased” data set by correlating information from multiple sources to antagonize possible bias in vendor information Future � Continued monitoring and database updates � Implications and applications of these findings to security ecosystem and risk analysis models 0-Day Patch: Exposing Vendors (In)Security Performance 16 Stefan Frei & Bernhard Tellenbach, BlackHat Europe 2008

  17. Thank you BLACKHAT Europe 2008 – 0-Day Patch � All plots are online at http://www.techzoom.net/risk � Feedback and comments highly appreciated Research sponsored by Swiss Federal Institute of Technology, Zurich www.csg.ethz.ch 0-Day Patch: Exposing Vendors (In)Security Performance 17 Stefan Frei & Bernhard Tellenbach, BlackHat Europe 2008

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

An Analysis of Patch Plausibility and Correctness of

An Analysis of Patch Plausibility and Correctness of

An Analysis of Patch Plausibility and Correctness of Generate-And- Validate Patch Genera8on System Zichao Qi , Fan Long, Sara Achour, and Mar8n Rinard MIT

323 views • 29 slides
La Larg rge-Scal Scale Patch Patch Reco comme mmendati ation at at Alibab aba Xindong

La Larg rge-Scal Scale Patch Patch Reco comme mmendati ation at at Alibab aba Xindong

La Larg rge-Scal Scale Patch Patch Reco comme mmendati ation at at Alibab aba Xindong Zhang 1 , Chenguang Zhu 2 , Yi Li 3 , Jianmei Guo 1 , Lihua Liu 1 , and Haobo Gu 1 1. Alibaba Group 2. University of Texas at Austin 3. Nanyang

462 views • 7 slides
Non-Inferiority Assessment of Patch Adhesion Non-Inferiority Assessment of Patch Adhesion and and

Non-Inferiority Assessment of Patch Adhesion Non-Inferiority Assessment of Patch Adhesion and and

5/21/2015 Non-Inferiority Assessment of Patch Adhesion Non-Inferiority Assessment of Patch Adhesion and and Dermatology Irritation of Post-Market Dermatology Irritation Evaluation Change and Generic Drug Evaluation Presented by Mark Liu,

529 views • 22 slides
How to install Patch Manager Plus at AWS Steps to install Patch Manager Plus at AWS 1. Login to

How to install Patch Manager Plus at AWS Steps to install Patch Manager Plus at AWS 1. Login to

How to install Patch Manager Plus at AWS Steps to install Patch Manager Plus at AWS 1. Login to Aws console 2. Select launch instance 3. Select your OS 4. Choose instance type 5. Select VPC 6. Add storage 7. Tag your instance 8. Configure security

185 views • 14 slides
Garbage Patch What is it and why is it occuring? -600,000 Square Miles (twice the size of Texas)

Garbage Patch What is it and why is it occuring? -600,000 Square Miles (twice the size of Texas)

Great Pacific Garbage Patch What is it and why is it occuring? -600,000 Square Miles (twice the size of Texas) -1.8 Trillion pieces of microplastic (not biodegradable) -88,000 Tons -Comprised of the Western Garbage Patch (near Japan) and

388 views • 6 slides
Collaborative Project Call ID FP7-SST-2008-RTD-1 Proposal N 233969 Acronym:

Collaborative Project Call ID FP7-SST-2008-RTD-1 Proposal N 233969 Acronym:

COMPOSITE MPOSITE PATCH PATCH REPAIR REPAIR CO OF METALLIC MARINE STRUCTURES OF METALLIC MARINE STRUCTURES Collaborative Project Call ID FP7-SST-2008-RTD-1 Proposal N 233969 Acronym: "Co-Patch www.co-patch.com Duration: 36

663 views • 21 slides
DIY Patch Management F L O R I A N J U N G E ( @ S H A N T YC O D E ) I N G O B E N T E ( @

DIY Patch Management F L O R I A N J U N G E ( @ S H A N T YC O D E ) I N G O B E N T E ( @

DIY Patch Management F L O R I A N J U N G E ( @ S H A N T YC O D E ) I N G O B E N T E ( @ I N G O B E N T E ) B S I D E S M U N I C H 2 0 1 8 Patching Isnt that solved? Nope, its not. R E M E M B E R T H O S E R A N S O M

635 views • 48 slides
PATCH PLANER EX Series UNIVERSAL CUTTER ES Series by Chris Goebel 11/2012 PATCH PLANER EX

PATCH PLANER EX Series UNIVERSAL CUTTER ES Series by Chris Goebel 11/2012 PATCH PLANER EX

PATCH PLANER EX Series UNIVERSAL CUTTER ES Series by Chris Goebel 11/2012 PATCH PLANER EX Series UNIVERSAL CUTTER ES Series by Chris Goebel 03/2013 EX Patch Planer for Excavators EX Patch Planer for Excavators EX Patch Planer for

1.27k views • 80 slides
Versions all the way down Versioning commits and patches with git-series Josh Triplett

Versions all the way down Versioning commits and patches with git-series Josh Triplett

Versions all the way down Versioning commits and patches with git-series Josh Triplett josh@joshtriplett.org LinuxCon North America 2016 RFC: feature RFC: feature Development git commit git format-patch -3 git format-patch -3 [PATCH 1/3]

1.19k views • 105 slides
A Plan 9 Approach to Hierarchical Patch Dynamics John (EBo) David IWP9 2010 Seattle, WA Many

A Plan 9 Approach to Hierarchical Patch Dynamics John (EBo) David IWP9 2010 Seattle, WA Many

A Plan 9 Approach to Hierarchical Patch Dynamics John (EBo) David IWP9 2010 Seattle, WA Many Problems are Inherently Multiscale Wu & David (2001) Hierarchical Patch Dynamics (HPD) ( Wu and Loucks 1995) HPD explicitly integrates

188 views • 15 slides
Bruin Patch & Big Wave C ate ring Recipe for Success: Community Partnerships Recipe for

Bruin Patch & Big Wave C ate ring Recipe for Success: Community Partnerships Recipe for

Brookings-Harbor School District 17C School-based Businesses Bruin Patch & Big Wave C ate ring Recipe for Success: Community Partnerships Recipe for success OSU Extension Office Local School District 4H Youth Bruin Patch &

612 views • 12 slides
Review of Patch Reviewing Stephen Frost Crunchy Data stephen@crunchydata.com PGConf.EU 2018

Review of Patch Reviewing Stephen Frost Crunchy Data stephen@crunchydata.com PGConf.EU 2018

Review of Patch Reviewing Stephen Frost Crunchy Data stephen@crunchydata.com PGConf.EU 2018 October 24, 2018 Introduction About Patches Commitfests Reviewing a Patch Committing Patches Committers Stephen Frost Chief Technology Officer @

637 views • 25 slides
Ordinance Slide PHOTO 1: Deteriorated brownstone unit. PHOTO 2: Loose brownstone, pointing, and

Ordinance Slide PHOTO 1: Deteriorated brownstone unit. PHOTO 2: Loose brownstone, pointing, and

Ordinance Slide PHOTO 1: Deteriorated brownstone unit. PHOTO 2: Loose brownstone, pointing, and patch material. PHOTO 4: Deteriorated patch repair after manual removal. PHOTO 3: Deteriorated patch repairs and vertical cracks in brownstone.

554 views • 26 slides
Composer: good practices Kuba Weros Semantic Versioning MAJOR.MINOR.PATCH 1. MAJOR

Composer: good practices Kuba Weros Semantic Versioning MAJOR.MINOR.PATCH 1. MAJOR

Composer: good practices Kuba Weros Semantic Versioning MAJOR.MINOR.PATCH 1. MAJOR incompatible (breaking) API changes, 2. MINOR add functionality in a backwards-compatible manner, 3. PATCH backwards-compatible bug fixes.

578 views • 42 slides
Its Easier to Br(e)ak(e) Than to Patch: A Stealthy DoS attack against CAN Stefano Longari,

Its Easier to Br(e)ak(e) Than to Patch: A Stealthy DoS attack against CAN Stefano Longari,

Its Easier to Br(e)ak(e) Than to Patch: A Stealthy DoS attack against CAN Stefano Longari, Stefano Zanero Politecnico di Milano Acknowledgments: Matteo Penco, Michele Carminati, Andrea Palanca, Eric Evenchick, Federico Maggi $whoami Stefano

788 views • 49 slides
1 Bilinear Patch Bicubic Bezier Patch Editing Bicubic Bezier Patches Curve Basis Functions

1 Bilinear Patch Bicubic Bezier Patch Editing Bicubic Bezier Patches Curve Basis Functions

Bzier Surfaces http://www.ibiblio.org/e-notes/Splines/fig/surf2.gif Bezier Surfaces Introduction Constructing a surface relies very much on the ideas behind constructing curves Surfaces can be thought of as Bezier curves in all

290 views • 5 slides
CSG Justice Center National non-profit, non-partisan membership association of state

CSG Justice Center National non-profit, non-partisan membership association of state

10/27/2011 OJACC 25 th Annual Conference th l f Reducing Recidivism Through Collaboration Council of State Governments Justice Center Marc Pelka August 15, 2011 CSG Justice Center

402 views • 19 slides
(DG) Procurement Presented by the Illinois Solar Association and Carbon Solutions Group Illinois

(DG) Procurement Presented by the Illinois Solar Association and Carbon Solutions Group Illinois

Illinois Distributed Generation (DG) Procurement Presented by the Illinois Solar Association and Carbon Solutions Group Illinois Procurements for 2015 Supplemental PV Procurement Two bid categories <25kW, 25kW-2MW ONLY for systems

427 views • 16 slides
SOUTH CAUCASUS PIPELINE EXPANSION PROJECT (SCPX) 2019 SOUTH CAUCASUS PIPELINE EXPANSION PROJECT

SOUTH CAUCASUS PIPELINE EXPANSION PROJECT (SCPX) 2019 SOUTH CAUCASUS PIPELINE EXPANSION PROJECT

Engineering for a Better Future SOUTH CAUCASUS PIPELINE EXPANSION PROJECT (SCPX) 2019 SOUTH CAUCASUS PIPELINE EXPANSION PROJECT (SCPX ) The existing 690 km South Caucasus Pipeline is 42 diameter and transports gas from the Sangachal Terminal

250 views • 11 slides
Stepping Up Ohio Summit: Housing Monday, October 22, 2018 1 Presenters: Liz Buck, Deputy

Stepping Up Ohio Summit: Housing Monday, October 22, 2018 1 Presenters: Liz Buck, Deputy

10/19/18 Stepping Up Ohio Summit: Housing Monday, October 22, 2018 1 Presenters: Liz Buck, Deputy Program Director, Behavioral Health, The Council of State Governments Justice Center Sally Luken, President, Luken Solutions 2 1 10/19/18 Cr

148 views • 14 slides
Cyber Incident Management -National and Regional Lessons Learned- Masanori Sasaki Deputy

Cyber Incident Management -National and Regional Lessons Learned- Masanori Sasaki Deputy

ARF Seminar on Operationalizing Cyber CBMs at Singapore 21 22 October 2015 Cyber Incident Management -National and Regional Lessons Learned- Masanori Sasaki Deputy Counsellor, NISC, Cabinet Secretariat, Japan Our organization NISC : N

229 views • 5 slides
Extending the Charter: Addressing Vulnerability and Exploit Information Yurie Yurie I to I to

Extending the Charter: Addressing Vulnerability and Exploit Information Yurie Yurie I to I to

I ETF I NCH W orking Group Meeting 5 th August 2 0 0 4 , San Diego CA US Extending the Charter: Addressing Vulnerability and Exploit Information Yurie Yurie I to I to I an Bryant I an Bryant Liaison Manager Head, Capability Developm ent

389 views • 22 slides
EU - Network and Information Security (NIS) Directive George Michaelides Commissioner of

EU - Network and Information Security (NIS) Directive George Michaelides Commissioner of

EU - Network and Information Security (NIS) Directive George Michaelides Commissioner of Electronic Communications and Postal Regulation http://www.ocecpr.org.cy 22 nd November 2016 1 Overview Cybersecurity Facts European Cybersecurity

289 views • 18 slides
Operational Security in EGEE Romain Wartel, CERN IT EGEE Operational Security Coordination Team

Operational Security in EGEE Romain Wartel, CERN IT EGEE Operational Security Coordination Team

Enabling Grids for E-sciencE Operational Security in EGEE Romain Wartel, CERN IT EGEE Operational Security Coordination Team http://www.eu-egee.org/security/ International Symposium on Grid Computing (ISGC) 2008 Academia Sinica, Taipei, 7 - 11

362 views • 14 slides

More recommend