I cited MS14-066, commonly known as Winshock, this week as a reason to take action on a server. Another stakeholder tried to argue with me. The vulnerability was very old, he said–years old, and hadn’t caused a problem yet.
He’s right. It’s at least 19 years old. But that’s merely interesting, not important.
What’s important is what’s possible now that people know how to look for it and how to exploit it.
The probability of finding gold in California probably didn’t seem all that high in 1847. That gold had been sitting there longer than humans have been alive. But then, in 1848, James Marshall discovered gold, and the next thing we knew, California had a gold rush on its hands.
The length of time it took to discover gold had no bearing on how difficult it was to find gold once people knew where to look.
The same thing is true of vulnerabilities in computer systems. Uncovering them is usually more difficult than exploiting them once they’ve been discovered. But the length of time it took to discover them isn’t usually related to the difficulty of exploiting them. And in the case of most of the headline vulnerabilities of 2014, it wasn’t that these vulnerabilities were all that sophisticated–it was just that they were hiding in places nobody had looked yet.
And that’s another reason vulnerabilities seemed to come out of the woodwork in 2014. When people found a flaw in one piece of software, they started looking at similar pieces of software to see if other people had made similar mistakes. Frequently the answer was yes.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.