Patchstack Isn’t Actually Patching Vulnerabilities
You would reasonably think that a security company named Patchstack would be focused on patching security vulnerabilities, but it turns out they are not. In fact, they are actually making it harder for vulnerabilities to get patched.
If you head over to Patchstack’s homepage, they currently claim at the top of the page to offer the “fastest protection for WordPress security vulnerabilities” and claim to have
9,100+ virtual patches to protect you:”
The first claim is silly, since the fastest protection is zero-day protection, which provides protection before vulnerabilities are even known about. No “virtual patch” required. So Patchstack’s “virtual patches” are slower than effective zero-day protection that is provided by the likes of Plugin Vulnerabilities Firewall and NinjaFirewall. All of those solutions are equally fast, as they already provide protection for vulnerabilities that don’t yet exist. Patchstack is obviously aware of this, but they have gotten away with lying for years, so they keep doing it. The second claim is dishonest. “Virtual patch” is a euphemism for a firewall rule. It isn’t a patch at all. Patchstack provides no evidence their firewall rules are effective and an admission they have made tells you that they often are not.
A firewall rule tries to stop a certain exploitation of vulnerability, it doesn’t address the underlying issue. So the protection it provides varies widely. By comparison, a patch can’t be bypassed if implemented correctly. Patchstack, it turns out, does not address either of those things.
Patchstack openly admits to failing to do basic due diligence with vulnerabilities, which means they know they are not providing protection through firewall rules for the whole issue. There might have a vulnerability that could be exploited in 10 different ways. Patchstack will provide protection for one through a “virtual patch”, leaving the hacker the option to exploit the 9 others. They also don’t make sure the patches are complete, meaning they are telling people that vulnerabilities have been fixed that haven’t.
Another problem with this is that Patchstack doesn’t provide even these virtual patches for lots of vulnerabilities. Here is the top of a recent entry in their database:
Apparently, because they classify the vulnerability as “Low priority” they indicate “ vPatch unnecessary.” As we noted in a post last week, they didn’t properly vet the vulnerability and it was more serious. Patchstack intentionally doesn’t provide the information needed to vet their claims, which makes it hard to easily determine how often they fail in that way, but based on everything we have seen, it is often. Perhaps that is part of why they don’t provide that information. That also means that many vulnerabilities in WordPress plugins are not getting fully patched. That was the case with the more serious than claimed vulnerability we looked at last week.
When some investigated Patchstack’s firewall (before they rebranded from WebArx) the results we not good.