Digital Identity Blog

Thought leadership for cybersecurity, fraud and digital channel professionals

Software Patches and Fixes Are Like Whack-a-Mole. Fix a Flaw and Another Jumps Up to be Exploited.

By ThreatMetrix
ThreatMetrix®, The Digital Identity Company®, is the market-leading cloud solution for authenticating digital personas and transactions on the Internet. Verifying more than 20 billion annual transactions supporting 30,000 websites and 4,000 customers globally through the ThreatMetrix Digital Identity Network®, ThreatMetrix secures businesses and end users against account takeover, payment fraud and fraudulent account registrations resulting from malware and data breaches.
Follow ThreatMetrix ThreatMetrix's Most Recent Posts:

Ever hear the phrase we can fix it in beta? Sean Kalinich, in his piece on, observes this has been a common practice with software companies. However, fixing and patching flaws after a rollout makes problems with exploits that much worse.

(Too) many companies allow software and devices to be released to the world without proper testing. The intention is usually there to patch these flaws, but by the time they get around to it, someone else has discovered them and we have a new malware on the streets.

What is even more interesting is the fact that when companies do fix holes in their software all that does is start the conversation again. Right after Oracle updated Java to patch a number of flaws I was told about a “discussion” of exploits and flaws for Java. Some of these were over five years old and were still functional while others were new. From what I was told, this is very normal and appears to confirm a suspicion that I have had for a while: if an exploit is not made public or is not widely used no effort is made to patch it. There also appears to be a big malware push right after an update is released so that they can reach more people before everyone can update their software.

Between flaws in operating systems, plug-ins and bad user habits the malware writers have a very easy time of it. To give you a simple example during a recent malware outbreak one user actually stated: “It was a weird email so I opened it to see what it was”. (To quote that world renowned savant, Bugs Bunny, “What a maroon!”)

The user clearly knew it was out of the ordinary, but opened it anyway and caused a serious amount of damage to the network. The same user never reported the initial infection, but just moved to another computer. They only reported that their files appeared to be corrupted. By the time anyone was made aware of the infection it was hours later and additional files have been damaged.

This type of scenario is repeated daily around the world and not just with malware that is visible. If someone installs malware on a system that is designed to hide and gather information it could remain unnoticed for long time.

The people that are behind the spread of malware know these patterns and exploit them just as much as they do flaws in software and hardware. This makes stopping malware impossible and even makes slowing it down a tall order.

By ThreatMetrix Posted