72 Hours From Patch To Exploit
This report <https://www.theregister.com/2021/04/06/sap_patch_attacks/> from software company SAP and security company Onapsis says that, from the moment SAP releases a security patch for its products, it only takes about 72 hours until bad hats have reverse-engineered the patch, figured out the security vulnerability it is meant to fix, and started releasing an exploit to take advantage of that vulnerability. Actually, proof-of-concept code can appear quicker than that. Which leaves customers in a dilemma: continue running patches through their regular QA procedures before deployment, widening the window for exploits to get in, or forego those QA procedures and deploy patches quickly to plug holes while risking breaking production systems? And of course this wouldn’t be unique to SAP ...
On Thu, 8 Apr 2021 12:49:14 +1200, I wrote:
... from the moment SAP releases a security patch for its products, it only takes about 72 hours until bad hats have reverse-engineered the patch, figured out the security vulnerability it is meant to fix, and started releasing an exploit to take advantage of that vulnerability.
Here is a report <https://www.theregister.com/2021/05/19/hafnium_scans_5_mins_post_disclosure/> on a similar, if not worse, situation for Microsoft: Attackers began scanning for vulnerabilities just five minutes after Microsoft announced there were four zero-days in Exchange Server, according to Palo Alto Networks. ... "Computing has become so inexpensive that a would-be attacker need only spend about $10 to rent cloud computing power to do an imprecise scan of the entire internet for vulnerable systems" ...
participants (1)
-
Lawrence D'Oliveiro