Recent news reflected a vulnerability tale as old as time, with the operative word being "old." Two known, but long unpatched vulnerabilities were revealed to have visited numerous organizations. One was a 6-year-old Microsoft Office remote code execution (RCE) flaw being actively used to deliver spyware via malicious Excel attachments. The other vulnerability was an eight year old unpatched vulnerability in the GWT framework discovered by Bishop Fox researcher Ben Lincoln. Originally developed by Google, GWT is an open source development toolkit for building and optimizing complex browser-based applications. This critical vulnerability could expose application owners to server-side remote code execution (RCE) by unauthenticated attackers.

While these vulnerabilities differ in where they reside, and the nature and status of a patch, they share an all too common and unsettling attribute – existing in plain sight for more than half a decade or more without being addressed.

While we could dive into the vagaries of the software supply chain, or the massive discrepancies in how organizations manage vulnerabilities and patching, we decided to take a different tack. We asked our Red Team Practice Director, Trevin Edgeworth what long-standing, unpatched vulnerabilities communicate to a Red Teamer, how do they approach/leverage them, and is it a fatal flaw? As the situations differ in terms of patch availability, Trevin took the opportunity to dive a little deeper and differentiate how each changes a Red Team perspective.

Session Summary

In this insightful analysis, Bishop Fox's Red Team Practice Director Trevin Edgeworth examines how long-standing unpatched vulnerabilities serve as valuable intelligence for both red teams and malicious attackers. Drawing from two prominent examples—a six-year-old Microsoft Office memory corruption flaw (CVE-2017-11882) and an eight-year-old Java deserialization vulnerability in Google Web Toolkit—Edgeworth explains how the presence of these vulnerabilities reveals systemic weaknesses in an organization's security posture that extend far beyond the vulnerabilities themselves.

The discussion illuminates how enterprise vulnerability management resembles a pyramid, with operating system patches at the foundation, common applications in the middle, and specialized applications at the top. Organizations often manage the lower layers effectively but struggle with applications higher in the pyramid. Edgeworth reveals that when his red team encounters long-unpatched vulnerabilities like the Microsoft Office flaw, it signals deeper issues: the organization likely lacks endpoint hardening, may not have adopted modern cloud-based software with automatic updates, and may have siloed security responsibilities that create visibility gaps. Similarly, with vulnerabilities lacking vendor patches like the GWT issue, an organization's inability to implement alternative mitigations suggests overreliance on patching as the sole remediation strategy and poor coordination between IT and development teams.

Throughout the session, Edgeworth emphasizes that sophisticated attackers don't just exploit these vulnerabilities tactically—they use them as strategic intelligence to map the organization's security landscape, identify paths of least resistance, and craft attack chains that minimize detection risk. This perspective shifts the conversation from viewing vulnerabilities as isolated technical issues to understanding them as indicators of broader security culture and maturity problems that shape an attacker's entire approach to compromising an environment.

Key Takeaways

1. Vulnerabilities as intelligence sources - Beyond direct exploitation, unpatched vulnerabilities provide attackers with strategic insights about security maturity and organizational priorities.
2. Endpoint security prioritization - Many organizations focus security efforts on servers and infrastructure while neglecting endpoint hardening, creating opportunities for attackers to establish and maintain footholds.
3. Maturity indicators - The prevalence of long-standing vulnerabilities often indicates an organization isn't ready for advanced red team testing or prepared to defend against sophisticated real-world attacks.
4. Organizational silos impact security - Gaps between IT operations, security teams, and development groups create vulnerability blind spots, especially for issues requiring non-patch mitigations.
5. Lateral movement opportunities - Attackers leverage unpatched vulnerabilities not just for initial access but for moving between systems, particularly targeting privileged users with the same weaknesses.
6. Strategic attack planning - Sophisticated attackers use vulnerability intelligence to map an environment's weaknesses and design attack chains that minimize detection risk while maximizing success probability.

Who Should Watch

This video offers valuable insights for several security and IT stakeholders:Security leaders and CISOs seeking to understand how technical vulnerabilities reflect broader organizational security maturity issuesVulnerability management teams looking to prioritize remediation efforts beyond traditional severity ratingsSecurity operations personnel who want to understand how attackers think strategically about environment reconnaissanceIT operations teams responsible for patching and endpoint managementApplication security professionals navigating scenarios where patches aren't availableRed team practitioners who want to improve their approach to adversary simulation by thinking beyond exploitationThe session is particularly valuable for organizations transitioning from compliance-focused security to a more threat-informed defense model, as it bridges technical vulnerability details with strategic security thinking.

Chapters

0:00:00 - Microsoft Office Memory-Corruption Flaw
0:07:24 - GWT Java Serialization Flaw