Patching: You can’t live with it, but you definitely can’t live without it. And as many firms have discovered, failing to patch quickly can land you in painfully hot water.
Despite that being widely understood, many businesses aren’t applying fixes as soon as they arrive, sometimes ignoring dangerous flaws in their software. Case in point: A third of all devices are still not patched for Log4Shell, the infamous vulnerability that first emerged over three years ago, despite the flaw being used in multiple attacks.
So, why the delay? To demonstrate the breadth of the issue, we’ve selected three of the worst unpatched flaws of recent times below. What can be learnt from these, why are so many firms slow to patch, and what can be done about it?
Log4Shell is the vulnerability in Apache’s Log4j logging library, which is used in millions of Java-based applications. With a CVSS score (the common vulnerability scoring system) of a whopping 10 (the maximum grade), Log4Shell could allow attackers to execute code on servers running affected applications.
First made public at the end of 2021, Log4Shell has been called the most critical vulnerability ever discovered, says Daniel Komenda, focal analyst lead at NormCyber. “There were some good reasons for that – estimates showed it could have affected hundreds of millions of assets, including widely used and trusted cloud service providers.”
“Log4Shell has been called the most critical vulnerability ever discovered” Daniel Komenda
It’s hard to think of a single vulnerability that has worried security teams more than Log4Shell, agrees Sergio Figueroa Santos, senior consultant at the Synopsys Software Integrity Group. “Admins rushed to deploy patches, security vendors promptly announced how their solutions protected customers, and many consulting hours were devoted to answering the question, is our system exposed?”
Despite all this, many firms failed to patch in time, with some finding it challenging even to work out which systems were vulnerable. A notable victim was ONUS, one of the largest Vietnamese crypto trading platforms, which suffered a ransom attack on its payment system running a vulnerable Log4j version.
In May 2023, a SQL injection vulnerability (with a CVSS score of 9.8) was found in Progress Software’s file transfer software MOVEit.
The company quickly issued a fix, but the flaw was already being used in attacks, and by June, it emerged that the prolific ransomware gang Cl0p was exploiting the vulnerability.
Firms that failed to patch the issue quickly have certainly learned the hard way. Soon after the patch was released, it was discovered that payroll provider Zellis had been hit by the MOVEit cyber attack, with companies including the BBC, Boots and British Airways suffering data breaches.
Other victims include professional services network Ernst & Young and UK communications watchdog Ofcom.
“Exploitation of this mainstream file-sharing solution was used extensively to disrupt, ransom or infiltrate data from various government, financial services, transport and insurance organisations,” says Nick McKenzie, CIO and CISO at Bugcrowd.
Another critical vulnerability discovered in 2023 is an issue in Citrix NetScaler web application delivery control and NetScaler Gateway appliance, artfully dubbed CitrixBleed.With a CVSS score of 9.4, the easy-to-exploit flaw was deemed so severe that it led to a joint advisory by the Cybersecurity and Infrastructure Security Agency (CISA) and FBI, including advice on spotting and mitigating attacks.
Citrix released a patch in October last year, but attackers have exploited the bug since August 2023. And many firms still haven’t applied the fix, so it’s no surprise CitrixBleed is still being enjoyed by ransomware attackers.
Affiliates of the LockBit group have been observed targeting organisations in so-called critical infrastructure sectors, including government, healthcare, financial services, energy and manufacturing.
Exploiting Citrix’s Netscaler devices, which enable corporations with various remote and traffic management capabilities, was “a big doozy”, says McKenzie. “Exploiting the vulnerability can remotely and easily bypass traditional password and multi-factor controls to hijack a user’s session.”
The sheer number of patches needed can make it difficult for cybersecurity teams to keep up. Perhaps that explains why many of the worst vulnerabilities of recent times often shockingly go unpatched. Over 65,000 unique CVEs were discovered in 2023, according to security company Armis’ new Anatomy of Cybersecurity research report.
Meanwhile, the 2023 Qualys TruRisk Research Report shows that even weaponised vulnerabilities can remain unpatched for over 30 days. This average goes down for more common and widely used services such as Google Chrome or Microsoft Windows, where the average time to patch is 17 days.
“In practice, Windows and Chrome are patched twice as fast and twice as often as other applications, but the browser and operating system are only the beginning of the attack surface,” says Alex Kreilein, vice president of product security at Qualys. “We have seen file transfer applications attacked, indicating that threat actors are focusing on internet-facing business productivity tools for exploitation.”
“Weaponised vulnerabilities can remain unpatched for over 30 days”
Moreover, the time between disclosure of a new or zero-day vulnerability and the time for it to be actively exploited is reducing rapidly, says Sean Wright, head of application security at Featurespace.
Wright cites the example of a flaw in Ivanti Connect Secure and Ivanti Policy Secure products, which is being exploited in attacks as of early February 2024 after being disclosed in late January.
This vulnerability points to a problem many organisations face: A lack of resources, making it challenging to ensure timely patching. “In January, no immediate patch was available, so teams had to implement the appropriate mitigation steps to prevent exploitation. Teams now have to install the new patch as soon as possible, again taking up team resources.”
To make matters worse, the details contained within vulnerability disclosures are often “inconsistent, confusing or unhelpful”, says Wright. “So teams have to spend additional time trying to assess just how the vulnerability affects their organisation. Often, this can take anything from an hour to a full day’s effort.”
Delays can also happen if organisations operating in regulated industries need to comply with specific regulations governing software patching. Komenda says this can introduce additional processes and documentation requirements.
Legacy systems are another issue that can be costly for a business, says Komenda. “Mitigating this issue usually requires a bigger project such as cloud migration – or a significant budget for replacement.”
It’s clear that change needs to happen. Repeating the same approach to vulnerabilities – “a game of whack-a-mole” – is no longer going to work, says Wright. “We need to move away from the misconception that addressing all high-risk and critical vulnerabilities within a given time will keep organisations safe. Instead, we must become far more intelligent in dealing with vulnerabilities and focus on the highest risk items first.”
“The time between a disclosure of a new or zero-day vulnerability and the time for it to be actively exploited is reducing rapidly” Sean Wright
At the same time, there needs to be an awakening from business leaders that cyber risk items such as emergency patching of critical vulnerabilities need to trump “operational” decisions, says McKenzie.
Meanwhile, “complete and continuous visibility into your attack surface” is essential, says Curtis Simpson, CISO at Armis. “This involves identifying all devices connected to the network, their contextual value to the business, and how they’re vulnerable and exposing the company to potential impacts.”
To keep up with the latest patches, Wright advises looking at sources such as the CISA KEV catalogue, media reports, or even X/Twitter. “Use this to drive the items that need urgent patching, for example, the flaws where known exploits are available.”
Leave the rest to remain in your periodic – and “hopefully monthly” – patching cadence, Wright says. “This way, you can focus on the vulnerabilities that represent the most risk to your organisation and get those resolved in a timely manner.”