Reports Say Vulnerabilities Outpacing Patches
released data from Trusteer and Qualys puts a spotlight on trouble in
the vulnerability management process. Qualys reports that it still
takes a month for a patch to be deployed to half of vulnerable systems,
while Trusteer reports that close to 80 percent of the computers it
scans are running vulnerable versions of Adobe Flash.
also shows that successful exploits don’t have to be zero-day attacks
either. In fact, it’s often older vulnerabilities in popular
applications that are the entry point that intruders use to compromise
systems. This point was recently emphasized by separate research from
Qualys and Trusteer that highlighted some disturbing findings in
the patch management process.
to the July 28th Qualys report, the half-life of vulnerabilities–the
time it takes for 50 percent of systems to be patched–is now usually
29.5 days. The majority of vulnerabilities are now found in client-side
applications, with most targeted attacks hitting Adobe Acrobat/Reader
and Microsoft Word.
time taken to fix vulnerabilities is virtually unchanged from 2004,
though Qualys admits a direct comparison is difficult because of the
number of vulnerabilities today and the maturity of modern
vulnerability management tools. Still, Qualys CTO Wolfgang Kandek said
that he was surprised by the fact that while IT administrators have
gotten good at patching OS vulnerabilities, they are still taking a lot
of time to address vulnerabilities in applications.
have to test the patch deployment to assure that patches do not break
existing applications,” Kandek said. “At the same time, attackers are
getting better [able] to explore new vulnerabilities ever faster.
Companies will have to find a way to patch machines faster… [and] that
certain applications should be patched quicker than others; for
example, Internet Explorer on desktops, Office Applications [and] Adobe
Reader are applications that are attacked constantly and should be kept
statistics are backed by a study released by Trusteer last week which
reported that nearly 80 percent of the roughly 2.5 million users
Trusteer scanned are running vulnerable versions of Flash, and nearly
84 percent are using vulnerable versions of Acrobat Reader. The danger
of leaving security holes open for long periods is underscored
by Microsoft’s Intelligence Report for the second half of 2008,
which revealed that over 91 percent of attacks against Microsoft Office
exploited a vulnerability that was patched more than two years ago.