« Win-Win | Main | Adobe's Flaw Exposed »

Washington Post's Brian Krebs makes the claim that for 284 days in 2006, there were IE related exploits "in the wild" for which there were no patches available

"For a total 284 days in 2006 (or more than nine months out of the year), exploit code for known, unpatched critical flaws in pre-IE7 versions of the browser was publicly available on the Internet. Likewise, there were at least 98 days last year in which no software fixes from Microsoft were available to fix IE flaws that criminals were actively using to steal personal and financial data from users"

Does this surprise you? It shouldn't...and it's not all Microsoft's fault either. It's the very nature of the world we live in today where vulnerabilities are discovered and exploits are released weekly. Microsoft just happens to have more software deployed than any other vendor so they're exposed a little more.

A couple of other points -

First, the situation in reality is worse than the 284 days of exposure because most organizations cannot or will not keep up with patching. When you consider databases, application server software, ERP systems on top of the Microsoft OS desktop software, we are reaching a point where patching as a proactive solution to security exploits is hitting a critical juncture. The rate of known vulnerabilities and exploits are reaching a level whereby to keep up a security mananger would have to patch almost every day.

Second, since patching is not a seamless exercise in the life of an enterprise IT organization, most companies patch regularly at fixed intervals - sometimes monthly or more. Mucho exposure. If you ever wonder why you need an IPS system - this "patch gap" window is exactly why. You need to be protected until you get your systems patched ...and by then the patch gap window exposure has moved on.

Posted by andreyee in Alerts/Warnings |Digg This|Add to del.icio.us

Trackback Pings

TrackBack URL for this entry:
http://www.ebizq.net/mt/mt-tb.cgi/1147