Those who apply security patches are finding that it\u2019s becoming harder to time updates and determine the impact of patching on their organizations. Dustin Childs of the ZDI Zero Day Initiative and Trend Micro brought this problem to light at the recent Black Hat security conference: Patch quality has not increased and in fact is getting worse. We are dealing with repatching bugs that weren\u2019t fixed right or variant bugs that could have been patched the first time.Childs also pointed out that vendors are not providing good information about the Common Vulnerability Scoring System (CVSS) risk to easily analyze whether to patch. The vendor might give a high CVSS risk score to a bug that wouldn\u2019t be easily exploited. I am having to dig more into details of a bug to better understand the risk of not applying an update immediately. Vendors are adding obscurity to bug information and making it harder to understand the risk.CVSS scores don\u2019t always reflect the true riskCVSS is an industry standard meant to help assess the severity of computer system security vulnerabilities. With 10 being the most severe, the higher the CVSS assigned to the patch, the faster we should be applying the patch. However, after evaluating the extenuating circumstances and additional risk factors, we may not need to be quite so concerned. Worse is when the CVSS is lower than it should be because it doesn\u2019t account for additional risk factors unique to your organization.For example, Microsoft\u2019s August security updates include CVE-2022-34715, fixing the Windows Network File System remote code execution vulnerability. The CVSS score is 9.8, which suggests immediate concern. Looking closer at the bug, it only impacts Server 2022 and then only if the NFS 4.0 role service is installed. The highest rated patch of the August 2022 release probably doesn\u2019t impact you if you aren\u2019t running that particular code.Patch quality, vendor communication on vulnerabilities decliningChilds pointed out that patching has become worse both in terms of quality of updates and reduction of communication surrounding security updates. He stated that we can\u2019t always \u201cjust patch it.\u201d Faulty patches don\u2019t make the situation more secure. An enterprise might hold back on updates because a side effect causes a direct business impact. Attackers don\u2019t have that problem. They can exploit vulnerabilities efficiently and quickly without constraints.Social media and researcher warnings might increase the pressure on CISOs and IT teams to roll out patches. Yet studies have shown that a only 5% of bugs are acted upon. So, we no longer can accurately determine the risk, the need of applying updates, or worse yet, the risk of not applying the updates.Microsoft has removed information from its security bulletins starting in 2020 making it harder to determine if a bulletin applies to your situation. I now review social media posts and track down the social media platforms that the attackers use to get a better understanding of the risk of an update.Worse, some vendors require customers to log in for access to gain additional information. Vendors might place information in several places scattered across their platforms, making the process of understanding the bug and patches confusing and time-consuming. Known issues are often listed in multiple places and aren\u2019t sent automatically to customers. Patch automation and making information API driven is removing the human guidance and much of the risk analysis needed to better protect ourselves.ZDI pointed out that across the industry, 10% to 20% of vulnerabilities are being revisited and repatched. You think you have protected your network from that SharePoint remote code execution bug, but it wasn\u2019t fixed properly and attackers know how to bypass that patch you just applied. You may not realize that you should be following the mitigation guidance rather than relying on patching.Pressure vendors to better patch and communicate about vulnerabilitiesWhat can you do to better understand risk? First, push back on vendors. The current level of patching and repatching is not ideal for anyone. We need better communication from vendors and we need to push on vendors to do better testing and improve patches so that we\u2019re not redoing patches and receiving faulty updates.If a vendor contacts you about a new product, give them feedback on the existing products you use. If you attend vendor conferences, seek out vendor representative and communicate what you need from them.Next build information so you can better understand the risk to your organization. It\u2019s said that attackers know our networks better than we do. Know what software you have in your network as well as how exposed you are to external actions and attacks. If you don\u2019t have team members inside your organization that can assist you, look outside your organization. From cyber insurance to red teams or purple teams, look to the external vendors that your organization currently uses to provide security services for your firm.If your firm is resource constrained, look to industry-specific groups or government agencies that provide information about vulnerabilities and risk. In the United States, for example, Infragard provides advice for organizations working on critical infrastructure. The High Technology Crime Investigation Association in an international organization that puts you in touch with local computer forensic resources.ZDI is reducing its disclosure timelines for vendors when they come across repeat bugs as a method to put pressure on them. As ZDI noted in its talk at Black Hat, if a patch is faulty and they expect exploits, the timeline to disclosure moves to 30 days. \u00a0Bottom line: If you feel that patching is a never-ending chore and you and your team are not making headway in protecting your organization, you are not alone. The technology industry needs to step back and step up in helping us out. Patching is not enough.