• United States



Contributing Writer

Why patching quality, vendor info on vulnerabilities are declining

Aug 24, 20225 mins
Risk ManagementVulnerabilities

It's getting harder to assess the impact of patching or not patching, and too many patches don't fully fix the problem. It's time to pressure vendors.

Patch + update options  >  Pixelized tools + refresh symbol with branching paths
Credit: Pashaignatov / Getty Images

Those who apply security patches are finding that it’s becoming harder to time updates and determine the impact of patching on their organizations. Dustin Childs of the ZDI Zero Day Initiative and Trend Micro brought this problem to light at the recent Black Hat security conference: Patch quality has not increased and in fact is getting worse. We are dealing with repatching bugs that weren’t fixed right or variant bugs that could have been patched the first time.

Childs also pointed out that vendors are not providing good information about the Common Vulnerability Scoring System (CVSS) risk to easily analyze whether to patch. The vendor might give a high CVSS risk score to a bug that wouldn’t be easily exploited. I am having to dig more into details of a bug to better understand the risk of not applying an update immediately. Vendors are adding obscurity to bug information and making it harder to understand the risk.

CVSS scores don’t always reflect the true risk

CVSS is an industry standard meant to help assess the severity of computer system security vulnerabilities. With 10 being the most severe, the higher the CVSS assigned to the patch, the faster we should be applying the patch. However, after evaluating the extenuating circumstances and additional risk factors, we may not need to be quite so concerned. Worse is when the CVSS is lower than it should be because it doesn’t account for additional risk factors unique to your organization.

For example, Microsoft’s August security updates include CVE-2022-34715, fixing the Windows Network File System remote code execution vulnerability. The CVSS score is 9.8, which suggests immediate concern. Looking closer at the bug, it only impacts Server 2022 and then only if the NFS 4.0 role service is installed. The highest rated patch of the August 2022 release probably doesn’t impact you if you aren’t running that particular code.

Patch quality, vendor communication on vulnerabilities declining

Childs pointed out that patching has become worse both in terms of quality of updates and reduction of communication surrounding security updates. He stated that we can’t always “just patch it.” Faulty patches don’t make the situation more secure. An enterprise might hold back on updates because a side effect causes a direct business impact. Attackers don’t have that problem. They can exploit vulnerabilities efficiently and quickly without constraints.

Social media and researcher warnings might increase the pressure on CISOs and IT teams to roll out patches. Yet studies have shown that a only 5% of bugs are acted upon. So, we no longer can accurately determine the risk, the need of applying updates, or worse yet, the risk of not applying the updates.

Microsoft has removed information from its security bulletins starting in 2020 making it harder to determine if a bulletin applies to your situation. I now review social media posts and track down the social media platforms that the attackers use to get a better understanding of the risk of an update.

Worse, some vendors require customers to log in for access to gain additional information. Vendors might place information in several places scattered across their platforms, making the process of understanding the bug and patches confusing and time-consuming. Known issues are often listed in multiple places and aren’t sent automatically to customers. Patch automation and making information API driven is removing the human guidance and much of the risk analysis needed to better protect ourselves.

ZDI pointed out that across the industry, 10% to 20% of vulnerabilities are being revisited and repatched. You think you have protected your network from that SharePoint remote code execution bug, but it wasn’t fixed properly and attackers know how to bypass that patch you just applied. You may not realize that you should be following the mitigation guidance rather than relying on patching.

Pressure vendors to better patch and communicate about vulnerabilities

What can you do to better understand risk? First, push back on vendors. The current level of patching and repatching is not ideal for anyone. We need better communication from vendors and we need to push on vendors to do better testing and improve patches so that we’re not redoing patches and receiving faulty updates.

If a vendor contacts you about a new product, give them feedback on the existing products you use. If you attend vendor conferences, seek out vendor representative and communicate what you need from them.

Next build information so you can better understand the risk to your organization. It’s said that attackers know our networks better than we do. Know what software you have in your network as well as how exposed you are to external actions and attacks. If you don’t have team members inside your organization that can assist you, look outside your organization. From cyber insurance to red teams or purple teams, look to the external vendors that your organization currently uses to provide security services for your firm.

If your firm is resource constrained, look to industry-specific groups or government agencies that provide information about vulnerabilities and risk. In the United States, for example, Infragard provides advice for organizations working on critical infrastructure. The High Technology Crime Investigation Association in an international organization that puts you in touch with local computer forensic resources.

ZDI is reducing its disclosure timelines for vendors when they come across repeat bugs as a method to put pressure on them. As ZDI noted in its talk at Black Hat, if a patch is faulty and they expect exploits, the timeline to disclosure moves to 30 days.  

Bottom line: If you feel that patching is a never-ending chore and you and your team are not making headway in protecting your organization, you are not alone. The technology industry needs to step back and step up in helping us out. Patching is not enough.

Contributing Writer

Susan Bradley has been patching since before the Code Red/Nimda days and remembers exactly where she was when SQL slammer hit (trying to buy something on eBay and wondering why the Internet was so slow). She writes the Patch Watch column for, is a moderator on the listserve, and writes a column of Windows security tips for In real life, she’s the IT wrangler at her firm, Tamiyasu, Smith, Horn and Braun, where she manages a fleet of Windows servers, Microsoft 365 deployments, Azure instances, desktops, a few Macs, several iPads, a few Surface devices, several iPhones and tries to keep patches up to date on all of them. In addition, she provides forensic computer investigations for the litigation consulting arm of the firm. She blogs at and is on twitter at @sbsdiva. She lurks on Twitter and Facebook, so if you are on Facebook with her, she really did read what you posted. She has a SANS/GSEC certification in security and prefers Heavy Duty Reynolds wrap for her tinfoil hat.

More from this author