When a security researcher or a vendor first releases information about a software vulnerability, the clock starts ticking. How long will it be until a malicious user takes advantage of it?
According to Gerhard Eschelbeck, CTO of computer security company
Qualys, not very long. He says that for about 80 percent of publicly known vulnerabilities, exploit code (such as a worm or a virus) appears within 60 days of their announcement.
Black Hat conference in Las Vegas
This information was presented by Eschelbeck at last week's
Black Hat USA 2003 conference in Las Vegas as part of his
Law of Vulnerabilities project. The project is the result of about a year's worth of analysis of the company's extensive vulnerability database.
Eschelbeck's findings give validity to what security experts have been saying for years.
|  |
|
Eschelbeck's findings give validity to what security experts have been saying for years: There's a limited window between the time a vulnerability is announced and when a patch must be applied.
If home users and corporate system administrators don't already know how important it is to apply fixes as soon as they're available, now there's concrete data to prove it. Eschelbeck's research should also help sysadmins justify the time and expense of implementing these patches to their bosses--and thus shorten the life of destructive worms and viruses.
After discussing his "60-day rule," Eschelbeck went on to present another key point from his project: Only half of all affected systems are patched within 30 days of a vulnerability's announcement--while the other half remain open to attack.
These unpatched systems keep vulnerabilities--and the worms and viruses that take advantage of them--alive on the Internet long after the fixes are released. As an example, Eschelbeck cited the Microsoft Index Server vulnerability that gave rise to Code Red in 2001. Code Red disappeared for a while but now is back, thanks to the recent appearance of unpatched installations of the server software.
Data you can use
Joining Eschelbeck at the Black Hat session were several other security experts, including Black Hat Briefings CEO Jeff Moss and BindView's Mark Loveless (a.k.a. Simple Nomad). Loveless pointed out that along with public announcements, malicious users find out about unannounced or recently announced vulnerabilities through an online black market.
|
Only half of all affected systems are patched within 30 days of a vulnerability's announcement.
| |
|
This means that malicious users may know about even more vulnerabilities than many security experts or the general public, and it underscores the need for software developers to hold off on releasing products until they are truly secure.
Of course, in the end, it's the often overworked system administrators who are responsible for patching vulnerable systems and who catch hell when a new virus takes down their company's network (or, worse, part of the Internet).
Eschelbeck's research gives these admins ammunition when asking management for more resources to do this work. Often, patches are not applied in a timely manner simply because an IT department is too busy with other tasks. With hard data now available that shows the life cycle of vulnerabilities, I hope more systems will be updated sooner--and, as a result, both corporate networks and the Net will become safer for all users.
What do you think? Do you apply software patches as soon as they're available? Why or why not? Will Eschelbeck's research change anything? TalkBack to me.
