- Apr 26, 2011
- 2,779
"Some exploitable software bugs are found by independent researchers and never reported to the software vendor. They are deadly because nobody knows about them except the attacker. This means there is little to no defense against them (no patch is available).
Many exploits that have been publicly known for more than a year are still being widely exploited today. Even if there is a patch available, most system administrators don't apply the patches in a timely fashion. This is especially dangerous since even if no exploit program exists when a security flaw is discovered, an exploit program is typically published within a few days after release of a public advisory or a software patch.
Although Microsoft takes software bugs seriously, integrating changes by any large operation system vendor can take an inordinate amount of time.
When a researcher reports a new bug to Microsoft, she is usually asked not to release public information about the exploit until a patch can be released. Bug fixing is expensive and takes a great deal of time. Some bugs are not fixed until several months after they are reported.
One could argue that keeping bugs secret encourages Microsoft to take too long to release security fixes. As long as the public does not know about a bug, there is little incentive to quickly release a patch. To address this tendency, the security company eEye has devised a clever method to make public the fact that a serious vulnerability has been found, but without releasing the details."
Information is extracted from "ROOTKITS, Subverting the Windows Kernel"; by Greg Hoglund and James Butler
Many exploits that have been publicly known for more than a year are still being widely exploited today. Even if there is a patch available, most system administrators don't apply the patches in a timely fashion. This is especially dangerous since even if no exploit program exists when a security flaw is discovered, an exploit program is typically published within a few days after release of a public advisory or a software patch.
Although Microsoft takes software bugs seriously, integrating changes by any large operation system vendor can take an inordinate amount of time.
When a researcher reports a new bug to Microsoft, she is usually asked not to release public information about the exploit until a patch can be released. Bug fixing is expensive and takes a great deal of time. Some bugs are not fixed until several months after they are reported.
One could argue that keeping bugs secret encourages Microsoft to take too long to release security fixes. As long as the public does not know about a bug, there is little incentive to quickly release a patch. To address this tendency, the security company eEye has devised a clever method to make public the fact that a serious vulnerability has been found, but without releasing the details."
Information is extracted from "ROOTKITS, Subverting the Windows Kernel"; by Greg Hoglund and James Butler