Non-critical flaws tend to go unpatched for months

[Red Squirrel]

This is so true!


------------------------------------
Critical vulnerabilities tend to get patched fast. Other vulnerabilities tend to be overlooked by sysadmins and patched as late as two months after fixes are released.

These were some of the findings in a study presented at the The Black Hat conference of computer security professionals, which ended in Las Vegas yesterday AEST.

The study, called Laws of Vulnerabilities and based on 1.5 million scans over a year and a half, was presented by Gerhard Eschelbeck, the chief technology officer of Qualys, a company that handles on-demand security audits and vulnerability management.

Eschelbeck said the study had found that some vulnerabilities - like the Code Red and Slammer worms - did not completely die out but tended to re-assert themselves.

He said this was probably because companies continued to install out-of-date software that was susceptible to these old vulnerabilities but added that he could not say this with 100 percent certainty.

The study came to the following conclusions:

- Half-Life: The half-life of critical vulnerabilities is 30 days and doubles with lowering degrees of severity;
- Prevalence: 50 percent of the most prevalent and critical vulnerabilities are being replaced by new vulnerabilities on an annual basis;
- Persistence: The lifespan of some vulnerabilities is unlimited; and
- Exploitation: 80 percent of vulnerability exploits are available within 60 days after the vulnerability release.

source



Archived topic from Iceteks, old topic ID:1176, old post ID:10296