7 Hours…

…is now the absolute maximum time you have to patch your website after a remote vulnerability is announced in software you are using. The path from patch -> Internet-wide attack can be at least that short.

This is interesting in a number of ways; firstly, the time of day at which you publish your vulnerability will advantage or disadvantage people in different geographies. Want to put US companies at higher risk? Publish your vulnerability at 10pm Pacific Time. Not happy with the Koreans for some reason? Publish at 10pm Korean time.

It means hosting companies now need (if they didn’t have them before) 24-hour security teams watching all possible announcement points, and the ability to deploy patches across their entire base of hosts (tens of thousands of machines) in a small number of hours. There isn’t time for an audit – “Am I using Software X version Y anywhere?” You need to know that already, and where.

One thought on “7 Hours…

  1. Yeah. I patch that specific example in the airport on the way to the Thunderbird Summit 2014 in Toronto.

    It’s getting tough out there