4:35 PM -- "Its been done before." These are words I hear often when doing my research. You can chalk it up to great minds thinking alike, but its frustrating when you think youre the first -- or at least have a new take on an old issue.
The security industry tends to have a pattern to its madness. Someone discloses a vulnerability, the company who developed the software issues a patch, and the press dies down. But does that pattern really make sense?
Ive seen vendors patch countless exploits that were extremely dangerous. But what does that mean, exactly? Does that mean the vendor called all its customers, gave them copies of the new software, and insured that they correctly installed the new patch? Doubtful. There are only a few companies that even have automatic patching processes for all of their products, and even those only work if you are using a version of the product that has automatic patching enabled.
So here I sit as a researcher, with thousands of "solved" issues in my brain, looking at a Web application that clearly has a vulnerability -- a vulnerability that has been known for almost 10 years. Does that mean that the issue is no longer there, simply because security researchers have seen it? No. The threat persists because these issues arent solved. Just because they are known by a very small group of people doesnt mean they are solved.
Herein lies the problem. We have security researchers saying its not new and vendors saying theyve long issued a patch, and yet the vulnerability persists. Does that mean its less interesting? Perhaps, but thats irrelevant to the problem at hand. We have vulnerable applications out there that no one has patched -- and without a plan to do so, attackers will always have a way into your network.
It may be "old news," but if you're still vulnerable, it's no less dangerous.