0 day patch
play

0-Day Patch Exposing vendors (in)security performance BlackHat - PowerPoint PPT Presentation

Jan 10, 2024 •234 likes •414 views

BLACKHAT Europe 2008 0-Day Patch 0-Day Patch Exposing vendors (in)security performance BlackHat Europe 2008 Amsterdam Stefan Frei + Bernhard Tellenbach Communication Systems Group ETH Zurich Switzerland http://www.csg.ethz.ch

  1. BLACKHAT Europe 2008 – 0-Day Patch 0-Day Patch Exposing vendors (in)security performance BlackHat Europe 2008 – Amsterdam Stefan Frei + Bernhard Tellenbach Communication Systems Group ETH Zurich – Switzerland http://www.csg.ethz.ch http://www.techzoom.net/risk 0-Day Patch: Exposing Vendors (In)Security Performance 1 Stefan Frei & Bernhard Tellenbach, BlackHat Europe 2008

  2. Evolution of the Security Ecosystem BLACKHAT Europe 2008 – 0-Day Patch � What is the performance of software vendors? � How many patches available at 0-Day? � Does responsible disclosure really work? � Global trends vs. vendor specific issues 0-Day Patch: Exposing Vendors (In)Security Performance 2 Stefan Frei & Bernhard Tellenbach, BlackHat Europe 2008

  3. What is a 0-Day Patch? BLACKHAT Europe 2008 – 0-Day Patch � Lifecycle of a vulnerability - exposure time Non-0-Day Patch 0-Day Patch 0-Day Patch: Exposing Vendors (In)Security Performance 3 Stefan Frei & Bernhard Tellenbach, BlackHat Europe 2008

  4. What is the Disclosure-Date? BLACKHAT Europe 2008 – 0-Day Patch Our requirements: � Vulnerability information is freely available to public � Disclosed by a trusted and independent source � Vulnerability is analyzed and rated by experts Disclosure-Date of a vulnerability: Date of the first advisory issued by a trusted and independent source 0-Day Patch: Exposing Vendors (In)Security Performance 4 Stefan Frei & Bernhard Tellenbach, BlackHat Europe 2008

  5. Data Sources BLACKHAT Europe 2008 – 0-Day Patch 0-Day Patch: Exposing Vendors (In)Security Performance 5 Stefan Frei & Bernhard Tellenbach, BlackHat Europe 2008

  6. 0-Day patch: Overall performance BLACKHAT Europe 2008 – 0-Day Patch Y-Axis: Interpretation of plots Fraction of � 0-Day patch rate since 2002 vulnerabilities patched in less than: � For High and Medium risk 1 day (0-day) vulnerabilities patched till Dec 2007 30 days � Sliding window, 360 days 90 days 180 days � Green (0-day patch) measures after disclosure share of the responsible disclosure process X-Axis: time (years) � Blue+Red measure the performance of vendor to produce # Vulnerabilities a patch in 30 or 90 days patched between 2002-2008 � Grey, do we ever get a patch? Apple: 738 (ever = in less than 180 days) Microsoft: 658 0-Day Patch: Exposing Vendors (In)Security Performance 6 Stefan Frei & Bernhard Tellenbach, BlackHat Europe 2008

  7. 0-Day Patch: Microsoft BLACKHAT Europe 2008 – 0-Day Patch � 0-Day patch rate between 40-80%, huge variation within 5 years � Correlation with development of new OS or service pack (next slide) 0-Day Patch: Exposing Vendors (In)Security Performance 7 Stefan Frei & Bernhard Tellenbach, BlackHat Europe 2008

  8. 0-Day Patch: Microsoft BLACKHAT Europe 2008 – 0-Day Patch WinSrv 2003 R2 WinSrv 2003 SP2 (2005-12-05) (2007-03-13) WinXP SP1 WinSrv 2003 WinXP SP2 WinSrv 2003 SP1 Win Vista (2002-09-09) (2003-04-24) (2004-08-06) (2005-03-30) (2007-01-30) 0-Day Patch: Exposing Vendors (In)Security Performance 8 Stefan Frei & Bernhard Tellenbach, BlackHat Europe 2008

  9. # of Unpatched Vulnerabilities: Microsoft BLACKHAT Europe 2008 – 0-Day Patch Win Server 2003 SP2 Win Server 2003 SP1 (March 13, 2007) (March 30, 2005) Win Server 2003 R2 Win Server 2003 Y-Axis: (December 6, 2005) (April 24, 2003) Number of unpatched vulnerabilities X-Axis: time (years) Win Vista WinXP SP1 WinXP SP2 (January, 30, 2007) (September 9, 2002) (August 6, 2004) � Evolution of the number of unpatched vulnerabilities at a certain date 0-Day Patch: Exposing Vendors (In)Security Performance 9 Stefan Frei & Bernhard Tellenbach, BlackHat Europe 2008

  10. 0-Day Patch: Apple BLACKHAT Europe 2008 – 0-Day Patch � 0-Day patch rate between 0-70%, slow start � Coordinated disclosure took-off no earlier than end 2003 0-Day Patch: Exposing Vendors (In)Security Performance 10 Stefan Frei & Bernhard Tellenbach, BlackHat Europe 2008

  11. 0-Day Patch: Apple BLACKHAT Europe 2008 – 0-Day Patch OS X 10.2 Jaguar OS X 10.3 Panther OS X 10.4 Tiger iPhone OS X 10.5 Leopard (2002-08-02) (2003-10-24) (2005-04-29) (2007-06-29) (2007-10-26) 0-Day Patch: Exposing Vendors (In)Security Performance 11 Stefan Frei & Bernhard Tellenbach, BlackHat Europe 2008

  12. # Unpatched Vulnerabilities: Apple BLACKHAT Europe 2008 – 0-Day Patch Y-Axis: Apple i-Phone release (USA) Number of unpatched (June 29, 2007) vulnerabilities X-Axis: time (years) OSX 10.3 “Panther“ OSX 10.5 “Leopard“ (October 23, 2003) (October 26, 2007) delayed due to i-Phone OSX 10.4 “Tiger“ (April 29, 2005) � Evolution of the number of unpatched vulnerabilities at a certain date 0-Day Patch: Exposing Vendors (In)Security Performance 12 Stefan Frei & Bernhard Tellenbach, BlackHat Europe 2008

  13. High- and Medium Risk Patches: Apple vs. Microsoft BLACKHAT Europe 2008 – 0-Day Patch Apple Y-Axis: Fraction of vulnerabilities patched in less than: 1 day (0-day) 30 days 90 days 180 days Microsoft X-Axis: time (years) # Vulnerabilities Apple: 738 Microsoft: 658 0-Day Patch: Exposing Vendors (In)Security Performance 13 Stefan Frei & Bernhard Tellenbach, BlackHat Europe 2008

  14. #Unpatched Vulnerabilities: Apple vs. Microsoft BLACKHAT Europe 2008 – 0-Day Patch Apple Y-Axis: Number of unpatched vulnerabilities 20 X-Axis: time (years) # Unpatched Microsoft Vulnerabilities 20 (Average) Apple: increasing Microsoft: stable 0-Day Patch: Exposing Vendors (In)Security Performance 14 Stefan Frei & Bernhard Tellenbach, BlackHat Europe 2008

  15. What does this mean? BLACKHAT Europe 2008 – 0-Day Patch � High and medium risk � Coordinated disclosure process is either at a high level (MS) or has increased considerably (Apple) � Fraction of vulnerabilities with 0-day patch is both surprisingly high and shockingly low over last 5 years � Service pack and OS development binds (security) resources � Number of concurrent unpatched vulnerabilities � Microsoft: Remains in the same range (impacted by software lifecycle > devel. resources) � Apple: trend shows increasing number (to few resources to cope with side-effects of increased popularity of their products? ) 0-Day Patch: Exposing Vendors (In)Security Performance 15 Stefan Frei & Bernhard Tellenbach, BlackHat Europe 2008

  16. Conclusion BLACKHAT Europe 2008 – 0-Day Patch � Introduction of 0-day patch as viable metric to measure the security processes of vendors � Metric based on publicly available data � First analysis of the 0-day (in)security performance of software vendors at this scale � “Unbiased” data set by correlating information from multiple sources to antagonize possible bias in vendor information Future � Continued monitoring and database updates � Implications and applications of these findings to security ecosystem and risk analysis models 0-Day Patch: Exposing Vendors (In)Security Performance 16 Stefan Frei & Bernhard Tellenbach, BlackHat Europe 2008

  17. Thank you BLACKHAT Europe 2008 – 0-Day Patch � All plots are online at http://www.techzoom.net/risk � Feedback and comments highly appreciated Research sponsored by Swiss Federal Institute of Technology, Zurich www.csg.ethz.ch 0-Day Patch: Exposing Vendors (In)Security Performance 17 Stefan Frei & Bernhard Tellenbach, BlackHat Europe 2008

Recommend

An Analysis of Patch Plausibility and Correctness of

An Analysis of Patch Plausibility and Correctness of

An Analysis of Patch Plausibility and Correctness of Generate-And- Validate Patch Genera8on System Zichao Qi , Fan Long, Sara Achour, and Mar8n Rinard MIT

323 views • 29 slides
La Larg rge-Scal Scale Patch Patch Reco comme mmendati ation at at Alibab aba Xindong

La Larg rge-Scal Scale Patch Patch Reco comme mmendati ation at at Alibab aba Xindong

La Larg rge-Scal Scale Patch Patch Reco comme mmendati ation at at Alibab aba Xindong Zhang 1 , Chenguang Zhu 2 , Yi Li 3 , Jianmei Guo 1 , Lihua Liu 1 , and Haobo Gu 1 1. Alibaba Group 2. University of Texas at Austin 3. Nanyang

462 views • 7 slides
Non-Inferiority Assessment of Patch Adhesion Non-Inferiority Assessment of Patch Adhesion and and

Non-Inferiority Assessment of Patch Adhesion Non-Inferiority Assessment of Patch Adhesion and and

5/21/2015 Non-Inferiority Assessment of Patch Adhesion Non-Inferiority Assessment of Patch Adhesion and and Dermatology Irritation of Post-Market Dermatology Irritation Evaluation Change and Generic Drug Evaluation Presented by Mark Liu,

529 views • 22 slides
How to install Patch Manager Plus at AWS Steps to install Patch Manager Plus at AWS 1. Login to

How to install Patch Manager Plus at AWS Steps to install Patch Manager Plus at AWS 1. Login to

How to install Patch Manager Plus at AWS Steps to install Patch Manager Plus at AWS 1. Login to Aws console 2. Select launch instance 3. Select your OS 4. Choose instance type 5. Select VPC 6. Add storage 7. Tag your instance 8. Configure security

185 views • 14 slides
Garbage Patch What is it and why is it occuring? -600,000 Square Miles (twice the size of Texas)

Garbage Patch What is it and why is it occuring? -600,000 Square Miles (twice the size of Texas)

Great Pacific Garbage Patch What is it and why is it occuring? -600,000 Square Miles (twice the size of Texas) -1.8 Trillion pieces of microplastic (not biodegradable) -88,000 Tons -Comprised of the Western Garbage Patch (near Japan) and

388 views • 6 slides
Collaborative Project Call ID FP7-SST-2008-RTD-1 Proposal N 233969 Acronym:

Collaborative Project Call ID FP7-SST-2008-RTD-1 Proposal N 233969 Acronym:

COMPOSITE MPOSITE PATCH PATCH REPAIR REPAIR CO OF METALLIC MARINE STRUCTURES OF METALLIC MARINE STRUCTURES Collaborative Project Call ID FP7-SST-2008-RTD-1 Proposal N 233969 Acronym: "Co-Patch www.co-patch.com Duration: 36

663 views • 21 slides
DIY Patch Management F L O R I A N J U N G E ( @ S H A N T YC O D E ) I N G O B E N T E ( @

DIY Patch Management F L O R I A N J U N G E ( @ S H A N T YC O D E ) I N G O B E N T E ( @

DIY Patch Management F L O R I A N J U N G E ( @ S H A N T YC O D E ) I N G O B E N T E ( @ I N G O B E N T E ) B S I D E S M U N I C H 2 0 1 8 Patching Isnt that solved? Nope, its not. R E M E M B E R T H O S E R A N S O M

635 views • 48 slides
PATCH PLANER EX Series UNIVERSAL CUTTER ES Series by Chris Goebel 11/2012 PATCH PLANER EX

PATCH PLANER EX Series UNIVERSAL CUTTER ES Series by Chris Goebel 11/2012 PATCH PLANER EX

PATCH PLANER EX Series UNIVERSAL CUTTER ES Series by Chris Goebel 11/2012 PATCH PLANER EX Series UNIVERSAL CUTTER ES Series by Chris Goebel 03/2013 EX Patch Planer for Excavators EX Patch Planer for Excavators EX Patch Planer for

1.27k views • 80 slides
Versions all the way down Versioning commits and patches with git-series Josh Triplett

Versions all the way down Versioning commits and patches with git-series Josh Triplett

Versions all the way down Versioning commits and patches with git-series Josh Triplett josh@joshtriplett.org LinuxCon North America 2016 RFC: feature RFC: feature Development git commit git format-patch -3 git format-patch -3 [PATCH 1/3]

1.19k views • 105 slides
A Plan 9 Approach to Hierarchical Patch Dynamics John (EBo) David IWP9 2010 Seattle, WA Many

A Plan 9 Approach to Hierarchical Patch Dynamics John (EBo) David IWP9 2010 Seattle, WA Many

A Plan 9 Approach to Hierarchical Patch Dynamics John (EBo) David IWP9 2010 Seattle, WA Many Problems are Inherently Multiscale Wu & David (2001) Hierarchical Patch Dynamics (HPD) ( Wu and Loucks 1995) HPD explicitly integrates

188 views • 15 slides
Bruin Patch & Big Wave C ate ring Recipe for Success: Community Partnerships Recipe for

Bruin Patch & Big Wave C ate ring Recipe for Success: Community Partnerships Recipe for

Brookings-Harbor School District 17C School-based Businesses Bruin Patch & Big Wave C ate ring Recipe for Success: Community Partnerships Recipe for success OSU Extension Office Local School District 4H Youth Bruin Patch &

612 views • 12 slides
Review of Patch Reviewing Stephen Frost Crunchy Data stephen@crunchydata.com PGConf.EU 2018

Review of Patch Reviewing Stephen Frost Crunchy Data stephen@crunchydata.com PGConf.EU 2018

Review of Patch Reviewing Stephen Frost Crunchy Data stephen@crunchydata.com PGConf.EU 2018 October 24, 2018 Introduction About Patches Commitfests Reviewing a Patch Committing Patches Committers Stephen Frost Chief Technology Officer @

637 views • 25 slides
Ordinance Slide PHOTO 1: Deteriorated brownstone unit. PHOTO 2: Loose brownstone, pointing, and

Ordinance Slide PHOTO 1: Deteriorated brownstone unit. PHOTO 2: Loose brownstone, pointing, and

Ordinance Slide PHOTO 1: Deteriorated brownstone unit. PHOTO 2: Loose brownstone, pointing, and patch material. PHOTO 4: Deteriorated patch repair after manual removal. PHOTO 3: Deteriorated patch repairs and vertical cracks in brownstone.

554 views • 26 slides
Composer: good practices Kuba Weros Semantic Versioning MAJOR.MINOR.PATCH 1. MAJOR

Composer: good practices Kuba Weros Semantic Versioning MAJOR.MINOR.PATCH 1. MAJOR

Composer: good practices Kuba Weros Semantic Versioning MAJOR.MINOR.PATCH 1. MAJOR incompatible (breaking) API changes, 2. MINOR add functionality in a backwards-compatible manner, 3. PATCH backwards-compatible bug fixes.

578 views • 42 slides
Its Easier to Br(e)ak(e) Than to Patch: A Stealthy DoS attack against CAN Stefano Longari,

Its Easier to Br(e)ak(e) Than to Patch: A Stealthy DoS attack against CAN Stefano Longari,

Its Easier to Br(e)ak(e) Than to Patch: A Stealthy DoS attack against CAN Stefano Longari, Stefano Zanero Politecnico di Milano Acknowledgments: Matteo Penco, Michele Carminati, Andrea Palanca, Eric Evenchick, Federico Maggi $whoami Stefano

788 views • 49 slides
1 Bilinear Patch Bicubic Bezier Patch Editing Bicubic Bezier Patches Curve Basis Functions

1 Bilinear Patch Bicubic Bezier Patch Editing Bicubic Bezier Patches Curve Basis Functions

Bzier Surfaces http://www.ibiblio.org/e-notes/Splines/fig/surf2.gif Bezier Surfaces Introduction Constructing a surface relies very much on the ideas behind constructing curves Surfaces can be thought of as Bezier curves in all

290 views • 5 slides
Our story At Gemtree we have been gifted the opportunity to work a unique patch of the earth in

Our story At Gemtree we have been gifted the opportunity to work a unique patch of the earth in

Our story At Gemtree we have been gifted the opportunity to work a unique patch of the earth in South Australias McLaren Vale. By respecting and nurturing this land we harvest high quality, flavourful grapes each and every vintage from

371 views • 9 slides
Centralised patch management J. Barhorst & M. Pels July 5, 2005 What did we do? Contents

Centralised patch management J. Barhorst & M. Pels July 5, 2005 What did we do? Contents

Centralised patch management J. Barhorst & M. Pels July 5, 2005 What did we do? Contents Activities Comparison Look at client update tools Requirements Create list of research topics Proof of Concept Conclusion

389 views • 16 slides
PlaneMatch: Patch Coplanarity Prediction for Robust RGB-D Reconstruction Yifei Shi, Kai Xu,

PlaneMatch: Patch Coplanarity Prediction for Robust RGB-D Reconstruction Yifei Shi, Kai Xu,

PlaneMatch: Patch Coplanarity Prediction for Robust RGB-D Reconstruction Yifei Shi, Kai Xu, Matthias Niessner, Szymon Rusinkiewicz, Thomas Funkhouser Princeton University National University of Defense Technology Technical University of Munich

417 views • 38 slides
PATCH MANAGER. The Comprehensive Connectivity and Asset Management Software Solution About

PATCH MANAGER. The Comprehensive Connectivity and Asset Management Software Solution About

PATCH MANAGER. The Comprehensive Connectivity and Asset Management Software Solution About Patchmanager B.V. Software technology company Established in 2002 Based out of Amsterdam, the Netherlands Independent, owner

493 views • 20 slides
High order multi- block/patch evolutions of Einsteins equations: an update or From

High order multi- block/patch evolutions of Einsteins equations: an update or From

High order multi- block/patch evolutions of Einsteins equations: an update or From differential geometry to multiple blocks or From energy estimates to numerical stability Manuel Tiglio Department of Physics & Astronomy and Center for

518 views • 23 slides
Pat Patch ch-based based Ei Eigen en-fac ace e Isomap omap Netw Networ orks ks By:

Pat Patch ch-based based Ei Eigen en-fac ace e Isomap omap Netw Networ orks ks By:

Fac acial ial Ex Expression ression Det etecti ection on using ng Pat Patch ch-based based Ei Eigen en-fac ace e Isomap omap Netw Networ orks ks By: Sohini Roychowdhury, Assistant Professor, Department of Electrical and

951 views • 17 slides
From Derricks to Desktops litigation in the oil patch David Kirk, CPA, ABV, CFF Forensics

From Derricks to Desktops litigation in the oil patch David Kirk, CPA, ABV, CFF Forensics

From Derricks to Desktops litigation in the oil patch David Kirk, CPA, ABV, CFF Forensics and Litigation Services Setting the Stage Why are we seeing an increase in litigation in the Oil and Gas Industry? 1. Market Volatility - Most

469 views • 34 slides
Presentation to NSPE PECon18 Beachhead of the Coming AI Tsunami By Anthony Patch Beachhead: a

Presentation to NSPE PECon18 Beachhead of the Coming AI Tsunami By Anthony Patch Beachhead: a

Presentation to NSPE PECon18 Beachhead of the Coming AI Tsunami By Anthony Patch Beachhead: a secure initial position that has been gained and can be used for further advancement www.dictionary.com Introduction Todays Artificial Intelligence

372 views • 7 slides

More recommend