Just ONE day after the announcement of the NINETEEN YEAR OLD bug in the very popular WinRAR utility, Checkpoint Software found examples of it being exploited in the wild. Given that the vast majority of the 500 million copies will likely NEVER be patched and the fact that the bug allows the hacker to take over full control of the system, this is a bit problematic. The good news is that it is possible that certain parts of the attack will be blocked (today, in this version) if the user is not a local admin.
In a somewhat entertaining turn of events, the WinRAR folks can’t find the source code necessary to fix the nineteen year old bug, so the opted to just remove the infected feature completely. Likely the loss of this feature will not be noticed by most users.
And this situation is not unusual.
Also this week, the developers at Drupal patched a critical flaw that would allow hackers to take over your web site. It is more likely that this bug will be patched than the WinRAR bug, but I am sure that there are many web sites that will never be patched.
Drupal is open source and WinRAR is closed source, pointing out that all software is buggy and open source software is not statistically any less buggy than close source software.
So what should you be doing?
If you do not already have a complete inventory of all software installed on all user devices and all servers, that is the place to start. This inventory needs to be updated frequently.
Once you have this inventory, you need to come up with a plan monitor all of these applications for available patches and available bugs so that you can patch these bugs quickly once patches are available and so that you can place the findings in your cyber risk register if either there is no patch or if you are making a decision not to install the patches now (or possibly ever).
Creating this protocol is important since the ONE DAY WINDOW BETWEEN THE ANNOUNCEMENT OF THE WINRAR PATCH AND THE EXPLOIT BEING FOUND IN THE WILD IS NOT ALL THAT UNUSUAL.
As a side note, if you choose not to follow my advice and later have a breach attributed to a missing patch (think of the Equifax breach as an example of the problem missing patches cause), make sure your lawyers are all paid up because you will be sued.
Source; The Hacker News.