IT Security, Zero-Day
Leave a Comment

Zero News On Zero-Day Bugs For 10 Whole Months

http://www.forbes.com/sites/andygreenberg/2012/10/16/hackers-exploit-software-bugs-for-10-months-on-average-before-theyre-fixed/

This is all very true and, to be candid, I’m not in the least bit surprised by these findings.

To be clear, the way it works today for the legitimate world is that someone (ethical hackers, researchers, Microsoft labs themselves) studies the code and finds vulnerabilities.  They then report these issues publicly in the hope that this will force companies to fix those issues quickly.  While some companies do that, others don’t, and due to two main reasons.

The first being economical – it costs money to dedicate a task force to fixing bugs.  The second lies in the fact that a vulnerability per se is not necessarily an issue, that is, until someone demonstrates that an exploit is possible.

In fact, what we should be discussing here is exploits rather than vulnerabilities. An error in the code doesn’t necessarily lay it bare and exposed to attacks ~ at times, exploits aren’t even possible ~ therefore, fixing that vulnerability is a moot point and a potential waste of money.   This is why the vast majority of companies adopt a “wait and see” attitude, to ascertain if the exploit is actually possible and how hard it is.

My perplexity with this article is not whether the issue is revealed to the public or it isn’t.  I’m more focused on the fact that professional hackers are already doing all this research on their own.  Yes, it’s true.  They’re already fully aware of the vulnerabilities, are most likely exploiting them, and aren’t telling anyone because the longer their findings stay secret, the more money they can make.  Hence, shouting out loud when we find something doesn’t give an extra edge to these hackers because, very frankly, it’s old news for them.

That said, it does give us ammunition to go back and demand a fix from the manufacturer, who might otherwise never even attempt to fix the issue, even when it’s been made known to the public.

I was able to share my views with SC Magazine in an article posted online yesterday evening.  If you have a few minutes, I invite you to read it here:- http://www.scmagazine.com/zero-day-attacks-last-much-longer-than-most-would-believe/article/264104/

Until our next blog post, have a good one.

This entry was posted in: IT Security, Zero-Day

by

Our mission is to produce, configure and maintain effective, affordable, computer security systems to protect the computer systems of enterprises of all sizes. We believe that all companies, regardless of size, should be afforded the same level of protection.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s