We receive patches for moderate to serious security flaws in popular software almost daily nowadays. Does this mean that security is improving or is it playing catch-up?
2015 has been the year of the bug bounty. A company rewarding researchers for finding vulnerabilities in their websites, software or service has become the norm.
2015 has subsequently been the year of the patch. We’ve seen a tremendous number of serious security flaws patched in some very widely used software.
Are bug bounties and software developers winning the race against vulnerabilities in their own software? Or are they constantly playing catch-up?
Flash and Java
Adobe Flash and Java have to be top of the list.
Recently Oracle released patches for 154 vulnerabilities in Java and many other products. Flash on the other hand released an update which was instantly exploited; their only advice was to remove Flash completely for the time being and wait for a further patch.
Java and Flash are fairly extreme examples but almost everyone has or does use them in some way: only a small percentage of their install base needs to skip an update to be at risk.
“The important distinction is whether the software is lacking or the expertise at both finding bugs and potentially exploiting them is more widespread than ever before,” explains Mark James, ESET IT security specialist.
“There are reports that state bug bounties in the first half of 2015 more than doubled compared to the same period the previous year.
“This has to have an impact on the number of professionals testing and finding bugs for the developers to fix.
“So many of these software programs have been around for years, building on patches and fixes but still use the same underlying code.
“Finding issues and vulnerabilities is a very important part of software security but fixing those problems quickly is more important. Once these exploits are being used in the wild it must be the developers top priority to get these patched and closed.”
As previously mentioned Java and Flash are extreme examples of software that seem to have a never ending stream of zero-day’s, followed by endless patching.
Some bug bounties have been extremely successful. Social Networks seems to do pretty well: Facebook have awarded $3million in bounties since 2011; Yahoo doled out $1 million in 2 years; In only a few months LinkedIn handed out $65k to researchers.
Both software and online services are constantly being probed for flaws and vulnerabilities therefore consistent patching is essential.
Bug bounties back this up, providing a rewarding way that researchers can submit their findings without needing to resort to public disclosure.
Sometimes it might well seem as though the “good guys” are losing the race to stay ahead of the “bad guys” but at least they are running and most of them are running as fast as they can.
What do you think of constant patching and bug bounties?
Join the ESET UK LinkedIn Group and stay up to date with the blog. If you’re interested in seeing where ESET has been featured in the news then check out our ‘In the news’ section.
Are you Serious about Security? If you are then check out everything that’s going on during Security Serious week.