Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
    Digg this story   Add to  
Study: Exploit Wednesday more myth than reality
Published: 2007-06-26

Several security researchers' and news articles' assertions that exploits for previously unknown vulnerabilities appear soon after Microsoft's regularly scheduled Patch Tuesday appear to have little basis in reality, according to an analysis of some 200 zero-day vulnerabilities by security firm McAfee.

Defining a zero-day vulnerability as "the public availability of exploit information on the same day that a vulnerability is publicly disclosed," McAfee security researcher Craig Schmugar surveyed 200 zero-day flaws spanning the past three years and found little evidence that exploits are released on the day following Microsoft's Patch Tuesday.

Schmugar found that only 18 percent of zero-day flaws found in 2005 fell 3 days before or after Patch Tuesday, well short of the 23 percent that represents a random distribution. In 2007, about 24 percent of all zero-day flaws fell within the 3 days bracket, while 31 percent of zero-day vulnerabilities in 2006 fell within 3 days of Patch Tuesday. While the 2006 numbers could indicate a preference to release close to Patch Tuesday, the deviation is not large enough to support the theory, Schmugar said.

"It’s more likely that many attackers do not wait and (instead) simply release their threats as soon as they are ready to be released," Schmugar stated in the analysis. "The more time that passes, the greater the chance that the vulnerability will be disclosed and/or patched."

Several researchers and reporters have dubbed the day following Microsoft's Patch Tuesday as "Exploit Wednesday" or "Zero-day Wednesday," positing that attackers can maximize their time to effectively exploit a vulnerability by releasing as close to Patch Tuesday as possible. The exploits that seemingly best fit the profile are those that take advantage of vulnerabilities in Microsoft Office and are discovered in the wild. While such a discovery may happen soon after Patch Tuesday, Schmugar pointed out that there is no way to tell when the exploit was first released.

Only about 10 percent of zero-day vulnerabilities were discovered in the wild, Schmugar found.

Posted by: Robert Lemos
    Digg this story   Add to  
Comments Mode:


Privacy Statement
Copyright 2009, SecurityFocus