back to article That critical vulnerability might not be the first you should patch

Enterprise security teams being overrun by the rising numbers of vulnerabilities uncovered each day could vastly reduce their patching workload by changing how they prioritize the flaws, according to recent research from vulnerability startup Rezilion. Most enterprises look to the ratings given to flaws in the Common …

  1. Mike 137 Silver badge

    "If you have 1,000 vulnerabilities, focus on the 200 that are actually loaded to memory"

    Finding out whether vulnerable code is loaded into memory is likely to turn into a major research project given the complexity and scale of modern software, and there could be a lot of false negatives given the dynamics of library-oriented code (unless of course we're going to reverse engineer applications as a matter of course in contravention of the EULA).

    However an adequate approximation to it can be provided by the CVSS environmental score (see section 4).

    The majority of vendor-published CVSS scores are raw CVSS base metrics, although independently discovered vulnerabilities may get assigned a temporal score. Consequently, depending on their origin, CVSS scores may not be entirely comparable. However they're a lot better than a bunch of independent incompatible (typically verbal) vendor scores. However I've never encountered an organisation that undertakes calculation of the CVSS third stage environmental score as a matter of course. It's a calculation that has to be done by the organisation itself, but it's essential, as that's where the filtering process takes place to reduce the vast list of potential threats to something more manageable.

    So there's no real need to re-invent the wheel provided the necessary processes and effort are applied to the problem using extant tools. I have to wonder whether the authors of this study have developed (or are developing) a new tool that does what they're advocating. but it seems to me that "loaded to memory" could be a transient phenomenon and thus get missed quite often. Presence of a high score vulnerability and accessibility to an adversary should be the most important metrics.

  2. Doctor Syntax Silver badge

    Nice headline grabber.

    But if it's not installed you won't be going to patch it. If it's installed then either its being run or a command away from being run.

  3. AVR

    This seems like a configuration change might suddenly create vulnerabilities by loading un-updated sections of an application. You could create a bespoke process to catch that, but keeping your patching up to date is a general solution which isn't as reliant on such a process being set up correctly and adhered to.

    Obviously this idea has worked for at least one big company but I think for less-big companies (who might have all the staff who understand this process move on to other jobs) it could be a massive problem waiting to happen.

    1. Ayemooth

      "Obviously this idea has worked for at least one big company"... Either that or it just hasn't gone wrong YET. I ended up skimming most of the article looking for the magic tool the report funders are peddling that can tell me what packages actually ever get loaded into memory.

  4. NoneSuch Silver badge

    Game of Risk

    Which is why layered defenses are necessary. You can only reduce risk, you can never eliminate it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like