Every once in a while, security vulnerabilities are discovered on the most secure platforms, and when that happens, the IT community worldwide becomes abuzz with information, warnings, and security advice within hours. This is the time when vulnerabilities - small cracks in the thick mantle of security software protecting the integrity of a cloud server - are called zero-day vulnerabilities, indicating the time period in which the crack has been found, but a fix is still pending.
Luckily, this fix is usually available very fast. Most zero-day vulnerabilities have a patch available by the time the general excitement starts. Patches generally are full, definite fixes of the problem, they close the "crack" and prevent any future exploitation.
The recent GHOST and Heartbleed vulnerabilities were an example of this. The problem is, once a risk has been disclosed to the general public, so will explanations on how to exploit it. Within a very short time, tools are available for download that can easily be morphed into automatic hack-bots, scanning the Internet for unpatched servers.
Thus, the real exposure is in these hours right after the announcement. During this time, system administrators, hosting providers, devops and client service managers need to work together to patch systems as quickly as possible.
Of course, as with many providers, our team has a standard procedure for these cases. When GHOST was discovered, we followed our standard risk mitigation checklist:
We appreciate that WebPal clients generally are business-level users and care not so much about the technical details of the vulnerability, but for the disruptions the fix causes, versus the potential risk of complacency. WebPal clients rely on us to fend off serious threats, but forcing unnecessary reboots for every security update (there are dozens a month) would merely be a method of offloading risk management onto them and thus not provide any added value. Our advantage is that we know the business use of WebPal Cloud Servers very well, and with this knowledge, can make risk mitigation decisions that are in line with our client's needs.