[CentOS] what percent of time are there unpatched exploits against default config?

Lamar Owen lowen at pari.edu
Fri Dec 30 15:24:17 UTC 2011


On Tuesday, December 27, 2011 10:13:12 PM Bennett Haselton wrote:
> Roughly what percent of the time is there such an unpatched exploit in the
> wild, so that the machine can be hacked by someone keeping up with the
> exploits?  

While I did reply elsewhere in the thread, I want to address this specifically.

I can give you a percentage number very easily.  The answer is 100%.  There is always an unpatched exploit in the wild; just because it's not been found by the upstream vendor (and by extension the CentOS project) doesn't mean it's not being used in the wild.  I would hazard to say the risk from an unknown, but used, exploit is far greater than the 'window of opportunity' exploits you seem to be targeting.

I would also hazard to say that it would be similar in risk to 'window of opportunity' exploit timing in the Windows world; not because the OS's are similar in terms of security but because 'window of opportunity' exploit timing is the same regardless of the general security of the OS.  And I think studies of 'window of opportunity' exploits have been done and are publicly available.

I say this after having performing a risk assessment of our infrastructure myself, incidentally. It's not a matter of 'if' you will be hacked, but 'when,' and this is being acknowledged in high-level security circles.

So you plan your high-availability solution accordingly, and plan for outages due to security issues just like you'd plan for network or power outages.  This is becoming standard operating procedure in many places.



More information about the CentOS mailing list