If you need a good example of this just take a look at the recent hubbub over Heartbleed. Although this patch is listed as critical, can result in loss of client data and even worse. Less than half of the originally reported 600,000 servers have been patched to fix this flaw. According to David Graham there was a rush to patch right after Heartbleed was announced (again). Around 280,000 servers were patched shortly after Heartbleed was announced, but since that time only about 9,000 have been patched leaving around 309,000 still exposed.
Graham fears that because Heartbleed is no longer making headlines people are not even trying to patch their systems (security by obscurity). This is not a good way to fly, while the consumer and the rest of the market might forget about a flaw or vulnerability, hackers and other malicious individuals do not. These systems are left completely open to this flaw and all that can happen with it.
Graham also says that the number of exposed systems could be much higher as companies start blocking the scan he uses to detect the vulnerable version of OpenSSL. It is sort of sad to see that many servers till unpatched when the upgrade to OpenSSL is not that difficult to perform and the down time associated with it far outweighs potential lost revenue.
Makes you wonder doesn’t it?
