Everyone knows that there are vunlerabilities from time to time and you should upgrade things like wordpress, windows, osx and other pieces of software commonly used by lots of people. One thing that people don’t take into account is the actual times and dates of the proof of concept (POC), subsequent weaponization of the exploit (if it came from a nefarious source) then the vendors patch and announcement (if they even notice or care).
Lets take the most recent exploit that came out for internet explorer as our example. The first easily referencable date I could find for this exploit.
- Seems a group of researchers in china found an exploit in IE7 allowing the execution of malcode remotely. [Dec 8]
- A blogger wrote an article describing the mess as it unfolded. [Dec 9]
- Microsoft begins ‘investigating’. [Dec 10]
- PCworld releases a writeup documenting things. [Dec 11]
- HD Moore posts a twitter update announcing the addition of the exploit to metasploit (meaning anybody could download it and run it at this point). [Dec 12]
Thats right – Four days from POC to “publically downloadable and available for anybody to use“.
The day I’m writing this post (Monday Night, Dec 16) The microsoft investigation page still says they’re investigating. If they have any sense tomorrows ‘patch tuesday’ security patch should contain a fix.
That being said – It’s been a week and there is no patch. What does that mean for the end user, CEO, Marketing folks, Sales people, Graphic Artists and other people who arent focused on security all the time?
- Everyone running IE7 in your enterprise/company/network is vulnerable (and still is, as of Dec 15)
- If this is exploited there is a fair chance that nobody will know until there is a patch, or the antivirus vendors catch up.
- If this is exploited on 0-day, then an attacker has been in your network FOR A WEEK ALREADY.
- Once the fix comes out the hole is patched..
- But it’s very likely entirely separate attacks were used once IE7 was exploited, so applying the patch to fix IE7 won’t fix any damage the attacker has done
Not everyone has to be security concious all the time. For that theres people like us!
Heres something I see every day: The list of new exploits that come out on milw0rm.com (which is just one of the many sites that exist for publishing known exploits):
Look at the third one down on Dec 15 
Your timeline is slightly off — KnownSec posted an example exploit to a forum on December 6th CST and large-scale exploitation started on the 7th. I-Defense was seeing this exploit traded in the underground even earlier. The metasploit module was added on this 12th, but this was 5 days after a working example was posted by KnownSec and about 16 hours after code started to show up on milw0rm.
Wow, thanks for checking in HD!
I wish I was as plugged into the sploit scene as you are – I’m still working towards that
The main point of this post was simply to illustrate how quickly something can go from ‘known’ to ‘easily available to the public’, and why people of a non-technical nature would fare well by taking some time to talk to a security expert!