Hello, welcome to the Monday, May 20th, 2019 edition of the Sandsenet Storm Center's Stormcast. My name is

Johannes Ulrich. And the time I'm recording from Jacksonville, Florida. Google released some statistics

about how long it takes vendors to actually patch Saturday vulnerabilities after they're being exploited in the wild.

We of course had a number of these issues over the last few years and there's obviously

a lot of pressure of course on the vendor once they learn about a vulnerability that's actually

already being exploited to then release a patch.

Overall, Google finds about one of these vulnerabilities

every 17 days, but the write-up also states that this is really just the average. What

usually happens is when they are coming across, for example, some malware that takes advantage

of Sierra Day, they quite often

find several of them because you have an entire sort of tool chain of exploits that's

then being essentially used.

I think vendors actually don't do too bad when it comes to the patching of these

vulnerabilities. Take someone average 15 days, so again,

about two weeks to come up with a patch, which overall I wouldn't really consider bad.

Google also released a detailed spreadsheet with the raw data used for the analysis, so you can go through this and sort of

draw your own conclusion based on vendors and the like.

Now one thing that Google specifically states they do not know, and that's sort of one

of those big unknowns here, how long it actually takes for the exploit to be discovered after it was first used in the wild.

I would think that there are a number of different parameters that this depends on,

like how frequently it's being used and against what targets it's being used,

like how sophisticated are these targets when it comes to detecting new exploits.

...