Companies that run critical infrastructure, such as utilities and oil refineries, are conspicuous targets for hackers, but according to recent research, they're often in no hurry to patch publicly-known vulnerabilities. Red Tiger, a security consulting firm, has found that these companies take an average of 331 days to patch these holes, reports Andy Greenberg at Forbes.

The systems underpinning critical infrastructure can be difficult to patch because they aren't shutdown on any regular basis like other systems. But when it takes nearly a year to eliminate a known flaw, hackers need not rely on zero day attacks.

"Who needs a zero day when companies are this slow to patch bugs?" said Jonathan Pollet, founder and principle consultant at Red Tiger. "You just find a known vulnerability, point, click and exploit."

Among the types of malicious and unapproved programs Red Tiger has found on critical systems include network monitoring spyware, pornography servers, network access software and online gaming servers.

Red Tiger found that an oil refinery once took more than seven years to patch a vulnerability.

For more:
- see Andy Greenberg's article at Forbes

Related Articles:
Microsoft confirms new exploit involving Windows Shell
Cyberattacks against critical infrastructure a constant occurrence
Tests show fresh malware often gets past security programs