Big IT Vendors Lead Patching Laggards
- 09 January, 2012 22:10
- Comments
IBM, Hewlett-Packard and Microsoft led the list of companies that failed to patch vulnerabilities after being notified by the world's largest bug-bounty program, according to the TippingPoint Zero-Day Initiative (ZDI).
During 2011, TippingPoint -- a division of HP -- released 29 "zero-day" advisories that had information about vulnerabilities the company had reported to IT vendors six or more months earlier. Ten of the 29 were bugs in IBM software, six were in HP applications and five, later patched, were in Microsoft products.
Other vendors on the late-to-patch list included CA, Cisco and EMC.
TippingPoint, which sponsors the Pwn2Own hacking contest, buys information about vulnerabilities from independent security researchers and privately reports them to vendors. It uses the information to craft defenses for its own line of security appliances.
In mid-2010, TippingPoint announced that it would go public with advisories that included "limited details" of reported vulnerabilities if vendors didn't patch them within six months.
TippingPoint released its first zero-day advisory on Feb. 7, 2011.
Last year, TippingPoint said it was using the six-month deadline to push software developers to release patches faster. "By releasing some information, it puts the spotlight on vendors," said Aaron Portnoy, the leader of TippingPoint's security research team.
Portnoy and Derek Brown, a ZDI researcher, said the pressure has worked, more or less. "We've seen a better response," Brown said. "If it doesn't look like they're making a commitment to patching, we release the information."
"It puts pressure on the vendors to patch their products, because the number of unpatched vulnerabilities can change the perception of the product's security," Portnoy argued.
As of late December, TippingPoint's independent researchers generated 350 vulnerability reports, up 16% from 301 a year earlier.
This version of this story was originally published in Computerworld's print edition. It was adapted from an article that appeared earlier on Computerworld.com.
Read more about security in Computerworld's Security Topic Center.
- Bookmark this page
- Share this article
- Got more on this story? Email TechWorld
- Follow TechWorld on twitter
- Eliminating Tape
- Key Considerations in Modernising Your Backup and Deduplication Solutions
- Case Study: NZ Bus Develops Applications 60% Faster, Improves Database Performance by up to 35%
- In Search of the Long-Term Archiving Solution — Tape Delivers Significant TCO Advantage over Disk
- Improving Storage Efficiencies with Data Deduplication and Compression
-
CSIRO develops hands-free technology for mining repairs
-
Broadband Forum to improve IPTV performance with new spec
-
Amazon Web Services moves backups to cloud with new appliance
-
Callforfree.net.au offers free calls to 70 countries
-
Intel ponders solar-powered CPU tech in graphics, memory
-
Windows 7 for Seniors for Dummies®
-
Office 2007 All-In-One Desk Reference for Dummies
-
Office 2007 for Dummies
-
Teach Yourself Visually Windows 7
-
Windows 7 for Dummies® Dvd+book Bundle
-
Computers for Seniors for Dummies, 2nd Edition
-
Windows 7 for Dummies®
-
Excel 2007 All-In-One Desk Reference for Dummies
-
Microsoft Office
Comments
Post new comment