Age of a vulnerability is not an indicator of future risk

I cited MS14-066, commonly known as Winshock, this week as a reason to take action on a server. Another stakeholder tried to argue with me. The vulnerability was very old, he said–years old, and hadn’t caused a problem yet.

He’s right. It’s at least 19 years old. But that’s merely interesting, not important.

What’s important is what’s possible now that people know how to look for it and how to exploit it.

The probability of finding gold in California probably didn’t seem all that high in 1847. That gold had been sitting there longer than humans have been alive. But then, in 1848, James Marshall discovered gold, and the next thing we knew, California had a gold rush on its hands.

The length of time it took to discover gold had no bearing on how difficult it was to find gold once people knew where to look.

The same thing is true of vulnerabilities in computer systems. Uncovering them is usually more difficult than exploiting them once they’ve been discovered. But the length of time it took to discover them isn’t usually related to the difficulty of exploiting them. And in the case of most of the headline vulnerabilities of 2014, it wasn’t that these vulnerabilities were all that sophisticated–it was just that they were hiding in places nobody had looked yet.

And that’s another reason vulnerabilities seemed to come out of the woodwork in 2014. When people found a flaw in one piece of software, they started looking at similar pieces of software to see if other people had made similar mistakes. Frequently the answer was yes.

%d bloggers like this:
WordPress Appliance - Powered by TurnKey Linux