How fast is an security patch converted into an exploit ? F-secure's @TimoHirvonen did a study and came with this example to document a time-to-exploit timeline.
â€¢ 2012-08-14: Security update available for Adode Flash player, patches vulnerability CVE-2012-1535.
(Security update available for Adobe Flash Player)
â€¢ 2012-08-15: Microsoft Office Word documents with embedded Flash exploit for CVE-2012-1535 seen in the wild.
(CVE-2012-1535: Adobe Flash being exploited in the wild, CVE-2012-1535 - 7 samples and info)
â€¢ 2012-08-17: Exploit is added to Metasploit Framework â€” a public, open-source tool for developing and executing exploits.
(Adobe Flash Player Exploit CVE-2012-1535 Now Available for Metasploit)
Took just one day for it to be converted into an exploit. In other words, it is not enough to release a patch. What matters now is how fast can all the clients can be updated after a patch is released.