We have now arrived in the theatre of the absurd. Collectively we use things like Adobe Flash, Acrobat and Java on our systems everyday. We use software that is flawed at its very core in our jobs, schools and home life. Then we’re surprised when things go awry. “How did that attacker breach my system?” and so forth.
The current batch of Adobe vulnerabilities covers 15 different CVEs. These are ranked as critical. I wish that this was a surprise but, this is just one example of the type of software that we should just stop using. We continue to put ourselves and our organizations in a position where we are open to attack for no good reason other than “Oooh look at the pretty flash video. That cat is soooo funny.” And the much maligned Java is simply a misunderstood piece of software. Let’s be honest. It is one of the best remote management products out there today. Can’t argue with the price point.
I’m just picking on those two pieces of software out of convenience but, there is no shortage of code to take a jab at. So, why do we continue to leverage products like this? A quick search of “Adobe Flash” vulnerabilities showed me 237. Are we unable to get our employees and/or customers to take a polite “no” for an answer? I know we’re always going to have zero days. I’m more concerned with the 100+ day vulnerabilities, zero days be damned. We get into such a lather about zero days when we can barely managed to get our heads around not have MS08-067 in our environments. Your move, bouncing ball of logic.
We need get better at doing patch management. Is that horse dead yet? I’ve been beating it for years now. But, in all fairness we need to get better at this collectively. Yes, I get that there are special snowflakes out there that do a good job at it. For that, I commend you. If we are going to insist on using software that is inherently flawed we need to build the infrastructure to support it. If you are able to patch and remediate in short order you lessen the chance that you’re going to be compromised.
It is no guarantee but, in a world where the only guarantees are death and taxes you need to make sacrifices. I’ve lived through enough corporate environments that I’ve seen good implementations and I’ve seen horrendous ones.
Want to improve your security? Get a good handle on your patch management implementation. Or, get one. I assume nothing. If you’re not keeping on top of your patching cycle you’re going to open yourself up to a world of hurt.
The trick to vanquishing the 100 day vulnerability dragon is simple. Patch your systems and then lather, rinse repeat.
(Image used under CC from pasukaru76)