Futility of Patching

I have seen recently some figures that are concerning me. They don't surprise me as such, however they concern me.

I was talking to some friends who are rolling out a similar piece of software one we are implementing, and there are some trends out there that really lead to no surprises on reliability and security of shared hosting services.

Lets start with these three gems:




Okay. Right. Oh. Well...  O_o

...let that just sit there - adsorb that for a bit....

Allow me to share some graphics to help articulate how bad that looks.

vuln_stateofplayABOVE: Ouch - Half?! Damn. What is more that *HALF* is due to a small percentage of users - this tends to suggest that this would be "developers" or people with reseller style accounts allowing them to deliver a number of (poorly secured) sites from that one user.... which sticks in the throat. A lot. As for applications detected there - that is close to 80% WordPress, 11% Joomla, 5% Drupal.

vulnerableusersABOVE: Can you guess which day we did the audit on this server? Can you? Go on - you know you want to.

There really is *ZERO* surprise that shared hosting is blighted with compromised sites attacking others, phishing, spear phishing, spamming, getting blacklisted.... this is how the customer shooting itself in the foot - right there.

When you start looking at hard stats of things like the generally recognised 98%+ of all inbound email connections never make it to SMTP acceptance are rejected on Blacklist, Greylist, Reputation, lack of rDNS, compliance matters.... we can now add these to the mix of stats that are going to sound like they are made up.

They are not.

Coming from the background of quietly accepting that "not all developers are created equally" ( the same goes for engineers in their defence) - we run a service, where people can pretty much upload anything that we have asked nicely via T&C, UAP, and via implication of residency the Law of the Land allows... or at least can try to unless we spot it and take it down. However - that list now includes knowledgeably, demonstrably, will automatically patch anyway... CMS and similar platforms.

I am reminded at this point of the video if you have seen it where some rather shady looking guerillas (soldier type) hand their AK over to a chimp that has been watching them. "I CAN DO THIS". Yes - yes you can - and become a danger to yourself and others.

So - what do you do?

Well - roll out a solution that allows you to identify, patch where possible, and most importantly workflow-the-shit out of notifications with regards to patching and vulnerabilities.

Kicking and screaming - you watch the threat profile drop, day by day - as you attempt to drag the populous into the current, real, up-to-date world.


The one that you had always told yourself about. The one that there was no point worrying about as you would never see it coming.

Last week - after a full week of attacks, grief, take down requests coming in thick, fast, publicly - and working above and beyond to help make sure peoples shit is as safe as it can be.... you realise on Monday morning that the last act of Friday was to find a way for someone to continue using PHP 5.3. Otherwise, "their website would not work".... and equally you know that is the right thing to do... as they have not had a developer in years, and its a busy time of year for them, and "I don’t understand" how important their site is for them.

I genuinely have no words to describe how that feels.

For all the good I am doing - fighting the good fight - I am enabling it's continuation.

Can we just cut back to the monkey and the machine gun please, I believe another little bit of me died.

Leave a Reply

Your email address will not be published. Required fields are marked *