Speed at which a patch can be pushed to all clients is important..

How fast is an security patch converted into an exploit ?  F-secure's @TimoHirvonen did a study and came with this example to document a time-to-exploit timeline.

  •  2012-08-14: Security update available for Adode Flash player, patches vulnerability CVE-2012-1535.
     (Security update available for Adobe Flash Player)
  •  2012-08-15: Microsoft Office Word documents with embedded Flash exploit for CVE-2012-1535 seen in the wild.
     (CVE-2012-1535: Adobe Flash being exploited in the wildCVE-2012-1535 - 7 samples and info)
  •  2012-08-17: Exploit is added to Metasploit Framework — a public, open-source tool for developing and executing exploits.
     (Adobe Flash Player Exploit CVE-2012-1535 Now Available for Metasploit)

Took just one day for it to be converted into an exploit. In other words, it is not enough to release a patch. What matters now is how fast can all the clients can be updated after a patch is released.

Comments

Popular posts from this blog

Chrome Frame - How to add command line parameters

Creating your first chrome app on a Chromebook

Brewers CAP Theorem on distributed systems