Everyone knows that there are vunlerabilities from time to time and you should upgrade things like wordpress, windows, osx and other pieces of software commonly used by lots of people. One thing that people don’t take into account is the actual times and dates of the proof of concept (POC), subsequent weaponization of the exploit (if it came from a nefarious source) then the vendors patch and announcement (if they even notice or care).
Lets take the most recent exploit that came out for internet explorer as our example. The first easily referencable date I could find for this exploit.
- Seems a group of researchers in china found an exploit in IE7 allowing the execution of malcode remotely. [Dec 8]
- A blogger wrote an article describing the mess as it unfolded. [Dec 9]
- Microsoft begins ‘investigating’. [Dec 10]
- PCworld releases a writeup documenting things. [Dec 11]
- HD Moore posts a twitter update announcing the addition of the exploit to metasploit (meaning anybody could download it and run it at this point). [Dec 12]
Thats right – Four days from POC to “publically downloadable and available for anybody to use“.
The day I’m writing this post (Monday Night, Dec 16) The microsoft investigation page still says they’re investigating. If they have any sense tomorrows ‘patch tuesday’ security patch should contain a fix.
That being said – It’s been a week and there is no patch. What does that mean for the end user, CEO, Marketing folks, Sales people, Graphic Artists and other people who arent focused on security all the time?
- Everyone running IE7 in your enterprise/company/network is vulnerable (and still is, as of Dec 15)
- If this is exploited there is a fair chance that nobody will know until there is a patch, or the antivirus vendors catch up.
- If this is exploited on 0-day, then an attacker has been in your network FOR A WEEK ALREADY.
- Once the fix comes out the hole is patched..
- But it’s very likely entirely separate attacks were used once IE7 was exploited, so applying the patch to fix IE7 won’t fix any damage the attacker has done
Not everyone has to be security concious all the time. For that theres people like us!
Heres something I see every day: The list of new exploits that come out on milw0rm.com (which is just one of the many sites that exist for publishing known exploits):
Look at the third one down on Dec 15