Forget Zero-Days, Known Bugs Are What Actually Get You

Forget Zero-Days, Known Bugs Are What Actually Get You

Zero-day vulnerabilities get all the headlines because they sound dramatic, a brand new flaw nobody’s ever seen before, exploited before anyone even had a reasonable chance to patch it in time. The uncomfortable reality is that most businesses are breached through vulnerabilities that were publicly known months or even years earlier, sitting unpatched on systems everyone simply forgot to update amid the daily pressure of running a business. It’s not a comfortable thought, but it’s a far more useful one, because known problems can actually be fixed with the resources most businesses already have.

The Gap Between Known and Fixed

When a vulnerability is disclosed publicly, a race begins between attackers building tools to exploit it quickly and businesses patching the affected systems before that happens. Attackers reliably win that race more often than most owners would like to believe possible, not because they’re technically brilliant or especially sophisticated, but because patching takes organisation, testing and time that many IT teams simply don’t have spare capacity for in any given week, buried under other more urgent-seeming priorities. Smaller businesses are often hit hardest by this gap, since they rarely have a dedicated person whose sole job is tracking which patches apply to which systems.

Regular vulnerability scan services exist specifically to close that patch lag, scanning your entire estate for exactly these known, publicly documented weaknesses before an opportunistic attacker’s automated tools manage to find them first.

Forget Zero-Days, Known Bugs Are What Actually Get You — Aardwolf Security

Automated Tools Don’t Care How Famous the Bug Is

Attackers running mass exploitation campaigns aren’t hunting for anything particularly exotic or clever. They’re running automated scanners against enormous numbers of internet-facing systems, checking each one against a long list of known vulnerabilities with published fixes already freely available online. If your business hasn’t applied a patch that’s been public for eight months or more, you’re not being targeted specifically by anyone, you’re simply the next result in a list, caught by a net cast wide rather than a spear aimed precisely at you personally. The volume of published vulnerabilities each month means most IT teams are permanently behind, triaging urgent fixes while a backlog of lower-priority patches quietly grows in the background. A single unpatched content management system or an outdated plugin is often all it takes to give an attacker the initial foothold they’re after.

William Fieldhouse sees this pattern repeat across almost every routine engagement his team runs for clients.

“In nearly every test we run, we get in through something that had a patch available for well over a year, and it’s rarely a difficult vulnerability to find at all, it’s simply one that never got fixed by anyone along the way.”

— William Fieldhouse, Director of Aardwolf Security Ltd

That’s oddly reassuring in one sense, because it means most businesses aren’t losing to some unstoppable, unknowable threat lurking in the shadows. They’re losing to a known problem with a known fix that simply never got applied in time, often because nobody had proper visibility of exactly which systems needed attention most urgently. Fixing that is far more achievable in practice than defending against something nobody’s ever seen or documented before. It also means the fix is usually well documented already, with a clear vendor patch available rather than a novel workaround that needs to be invented from scratch.

Fix What’s Already Known Before Chasing the Unknown

Before worrying about exotic threats that may never materialise, it’s worth requesting a penetration testing quote to establish exactly how many already-known, already-patchable vulnerabilities are quietly sitting inside your current systems right now.

Share:

Peter

Peter Thompson: Peter, a futurist and tech commentator, writes about emerging technology trends and their potential impacts on society.

Create Account



Log In Your Account