Companies are only marginally better at quickly plugging security holes, while exploit writers typically produce attacks within days, according to research recently released by security firm Qualys.
In a report published at last week's RSA Security Conference, the firm released the results of the approximately 80 million vulnerability scans it conducted for its customers in 2008. During the scans, Qualys detected 680 million vulnerabilities, of which about 11 percent were considered critical.
Depending on the industry, companies typically patched their systems at different speeds. The service industry appeared to fix issues the fastest, with 50 percent of all systems patched in the three weeks following the release of a fix for a particular flaw. The financial and retail sectors lagged slightly behind, with an average vulnerability half-life, in which half of systems are patched, of 23 and 24 days, respectively. Manufacturing companies took much longer to patch — with a 51-day half-life — while healthcare companies split the difference with a 38-day half-life.
The average of all companies, 29.5 days, was only slightly better than a previous study performed by Qualys in 2003, finding a median patch time of 30 days. Yet, the company said that attackers were producing exploits much faster, with 80 percent of exploits appearing on the Internet within 10 days, according to the firm.
"Security is getting more difficult with attackers becoming extremely sophisticated and the window of exploitation shrinking to days for most critical vulnerabilities," Wolfgang Kandek, CTO of Qualys, said in a statement.
Another issue is that companies appear to be patching serious vulnerabilities in ubiquitous software much more slowly. Qualys found flaws in Microsoft Office, Windows 2003, Adobe Acrobat and Sun's Java remained on systems long after the software makers had issued relevant updates.
The report did not offer an explanation for the behavior.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos