The media – and indeed many parts of the security industry – just looove zero-day exploits. They are exciting to report, to research, to block…but interestingly, SophosLabs sees much more malware exploiting patched vulnerabilities.
I know – it’s a bit weird. Why would malware authors bother to target a vulnerability for which a patch is already available for download…for free? Surely, it would be a lost cause, a dud, a lemon, a non-starter.
Alas, many people – and companies – don’t get around to patching. And I just don’t get why. If I cut myself, I put a plaster on it so I don’t bleed all over the place. A no-brainer. Isn’t patching security vulnerabilities in the same boat?
To illustrate the importance of patching, our very own Mister Paul Baccas, SophosLabs’ malware researcher extraordinaire, has just released a technical paper (and I do mean technical) on this very topic, which you can download as a PDF.
He focuses on a specific Microsoft patch, namely MS10-087, released to address the vulnerability CVE-2010-3333 (RTF Stack Buffer Overflow Vulnerability). The patch was released way back in November 2010, and his paper tracks the constantly evolving exploits that have been hammering away at unpatched systems.
And with malware authors continually fuzzing the file format to try and avoid detection from security software, the end is by no means in sight. Just take a look at how many exploits we have seen affecting this single patch vulnerability?
So, the lesson is simple. We all need to patch in a timely manner. Don’t believe me? Check out Paul’s paper to see a snapshot of just how far the bad guys are willing to go so they can take advantage of those of us that don’t get around to patching.
For a less nerdy explanation of Paul’s research than his technical paper, listen to this podcast where Chester Wisniewski interviews Paul for the layman’s view of his results.
(7 February 2012, duration 11:50 minutes, size 11.4 MBytes)