Patching Software “Security” Dilemma

We have a dilemma when deciding how and when to patch the software we depend on.

Not all vulnerability patches are built to fix the problems they were set to resolve without causing any other problem.

adobeflashfix Picture is from #TheHackerNews

How do we resolve this while also realizing that the window to patch our software is shirinking:  http://www.cio.com/article/2900074/new-attacks-suggest-leeway-for-patching-flash-player-is-shrinking.html

What I mean is when a Zero Day vulnerability is out (that means it is not patchable so if an exploit is in the masses we are all susceptible).  How quickly does an exploit hit the masses and start to affect us?

 

So what SCMagazine is saying is that it takes less time now than before.

 

{However, the short one-week period it took attackers to develop a reliable exploit for CVE-2015-0336 and integrate it into Nuclear EK, could signal a dangerous trend.}

 

This is an important distinction, since we have to decide on certain attacks to speed up the testing process of running the patches in a test environment first. (IT department knows there has to be testing for patches, since not all patches are safe to implement)

In PCI compliance one has 1 month to implement critical patches or will be out of compliance, but it looks like that may be insufficient if a new exploit is churned out in 1 week.

 

So PCI compliance will have to make changes in the future.

 

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.