Bishop Fox named “Leader” in 2024 GigaOm Radar for Attack Surface Management. Read the Report ›

News Insights: Patch Procrastination with Trevin Edgeworth, Director of Red Team

Bishop Fox's Red Team Director, Trevin Edgeworth, spotlights two notable vulnerabilities - left unpatched for years on end and discusses how unpatched vulnerabilities can wreak havoc on businesses. One, an unpatched six-year-old flaw in Microsoft Office, the other in Google Web Toolkit (GWT), unaddressed for eight years.

Recent news reflected a vulnerability tale as old as time, with the operative word being "old." Two known, but long unpatched vulnerabilities were revealed to have visited numerous organizations. One was a 6-year-old Microsoft Office remote code execution (RCE) flaw being actively used to deliver spyware via malicious Excel attachments. The other vulnerability was an eight year old unpatched vulnerability in the GWT framework discovered by Bishop Fox researcher Ben Lincoln. Originally developed by Google, GWT is an open source development toolkit for building and optimizing complex browser-based applications. This critical vulnerability could expose application owners to server-side remote code execution (RCE) by unauthenticated attackers.

While these vulnerabilities differ in where they reside, and the nature and status of a patch, they share an all too common and unsettling attribute – existing in plain sight for more than half a decade or more without being addressed.

While we could dive into the vagaries of the software supply chain, or the massive discrepancies in how organizations manage vulnerabilities and patching, we decided to take a different tack. We asked our Red Team Practice Director, Trevin Edgeworth what long-standing, unpatched vulnerabilities communicate to a Red Teamer, how do they approach/leverage them, and is it a fatal flaw? As the situations differ in terms of patch availability, Trevin took the opportunity to dive a little deeper and differentiate how each changes a Red Team perspective.


0:00:00 - Microsoft Office Memory-Corruption Flaw 

0:07:24 - GWT Java Serialization Flaw

Trevin Edgeworth

About the author, Trevin Edgeworth

Red Team Practice Director

Trevin Edgeworth is the Red Team Practice Director at Bishop Fox, where he focuses on building and leading best-in-class adversary emulation services to help customers of all sizes and industries strengthen their defenses against current and emerging threats.

Trevin has over 20 years of security experience; he has built and overseen red team programs for several Fortune 500 companies, including American Express, Capital One Financial, and Symantec Corporation. Other accomplishments include leading a security organization as Chief Security Officer (CSO) for a major security company. Trevin has led a variety of security functions in his career, including cyber threat intelligence, hunt, deception, insider threat, and others.

Trevin is an active member of the security community. He has presented at several industry conferences and been interviewed by leading publications on topics such as red teaming and threat intelligence.

More by Trevin

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.