Days of Risk

The last few months have seen a lot more talk about the “Days of Risk”. In short, vendors like Microsoft say the days of risk are the time between vulnerability information (or an exploit) being released and a system being patched. So if a new vulnerability is announced on Tuesday, and I patch on Friday, there were three days of risk. This makes sense.. and this is also why many vendors advocate responsible disclosure and coordinated vulnerability announcements.

So what has been happening lately? I’ve noticed that my Windows XP systems “auto-update” feature is lagging heavily. Vulnerabilities are announced on a Tuesday, and it is as many as six days before my machine will alert me, download and install the patches. The point of this post is to question, is six days a lot of risk? To get an idea, lets look at a few of the recent vulnerabilities announced by Microsoft.

MS05-016, Windows MSHTA Shell Application Association Arbitrary Remote Script Execution
Disclosure: 2005-04-12 // Exploit: 2005-04-13

MS05-021, Exchange Server SMTP Extended Verb Remote Overflow
Disclosure: 2005-04-12 // Exploit: 2005-04-19

MS05-020, IE DHTML Object Memory Corruption Code Execution
Disclosure: 2005-04-12 // Exploit: 2005-04-12

So we have 0 days, 1 day and 7 days. Due to the lag in Microsoft making the patches available (I honestly don’t care what their excuse is), my computers are vulnerable and there is nothing I can do about it. I don’t think I need to address the fact that many of these vulnerabilities had fully working exploit code developed long before the Microsoft advisories either. Sure, they were held by the researchers and not disclosed, but information is shared, information is leaked, and information is stolen. Fact of life that only increases days of risk.

About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 5,408 other followers

%d bloggers like this: