Old vulnerabilities still out there - why and what are we missing?
I am attending the RSA Conference and listened to a presentation by CORE Software where they addressed numerous vulnerabilities for IBM, Microsoft and Oracle as well as other vendors. MS08-067 is still viewed as the #1 exploited vulnerability. How could a vulnerability announced in 2008 require patching in a significant part of the business world? Hearing this news put me at a complete loss of words. I needed to confirm this information myself and completed additional research. Unfortunately, CORE Software is correct - IT is not doing a good job on technology fundamentals such as Patch Management. Why is this the case? Is IT too busy to complete Patch Management activities or are business partners unwilling to spend time and money to test after patching?
Here is a short list of some of the vulnerabilities that exist today and commonly exploited by people intending to do harm. I came to the RSA conference believing vendor focus would be on IoT, however, the conference is full of vendors selling threat and vulnerability analytics tools. Are we just chasing technology for technology's sake? It seems every year we spend more money on security and still feel less secure. It would be interesting to go back in time and note the scare of the year from the 2016 RSA Conference and how many of these actually survived and, better yet, how many actually still exist from a vulnerability perspective. What are we missing?