‘Tis the season

The last week of December is sometimes an interesting week in our industry.

IT security is often pictured as a fight between the ‘good guys’ and the ‘bad guys’. Well, from December 25th to January 1st, the battlefield is noticeably skewed in favor of the bad guys.

It’s not too difficult to see why – the CSO’s are on vacation. The IT staff is minimal. Nobody would risk deploying a patch that would affect the entire company come January 1st (and who wants his boss to come back to work after a New Year’s party and find out her computer doesn’t boot). On the vendor side, things are similar; you better not find a critical exploitable buffer overflow in this critical week – they’ll be no one to fix it. Or deploy a workaround.

Last year, Determina reported the .ANI buffer overflow to Microsoft in December, but the acknowledgment from MS only came in early January (not to mention the patch itself came in March).
Two years ago the WMF exploit made noise and since the Microsoft engineers were on vacation Ilfak and ZERT had to pitch in and release 3rd party patches for this problem.

In Christmas 2004, Ironically enough, Microsoft was busy with the first .ANI vulnerability (this one reported by eeye) almost identical to the one that followed 2 years after and again a patch that waited until after the MS QA team had time to recover from the New Year’s hangover.

Six years ago, David Litchfield turned Oracle’s then marketing tagline “Unbreakable” into pure mockery by discovering a serious of remotely exploitable vulnerabilities which of course were not patched in time for Santa Claus season.

These stories remind me of the Christmas party at the Nakatomi building in “Die Hard”, only in our case the attackers have the additional benefit of the “out of office” messages telling them who left their post (not to mention not all companies have John McLain to save them from imminent doom).

Will this holiday season be quiet? So far there aren’t any clouds on the horizon, so lets hope it stays that way for another 10 days or so. After all, even us security folks need our R&R…

Happy holidays everyone!