When a security researcher or vendor first releases information about a software vulnerability, the clock starts ticking. How long will it be until a malicious user takes advantage of it?
According to Gerhard Eschelbeck, CTO of computer security company Qualys, not very long. He says that, for about 80 percent of publicly known vulnerabilities, exploit code (such as a worm or virus) appears within 60 days of their announcement.
This information was presented by Eschelbeck at last week's Black Hat USA 2003 conference in Las Vegas, as part of his Law of Vulnerability project. The project is the result of about a year's worth of analysis of the company's extensive vulnerability database.
Eschelbeck's findings give validity to what security experts have been saying for years: there's a limited window between the time a vulnerability is announced and when a patch must be applied.
If home users and corporate system administrators don't already know how important it is to apply fixes as soon as they're available, now there's concrete data to prove it. Eschelbeck's research should also help sys admins justify the time and expense of implementing these patches to their bosses -- and thus shorten the life of destructive worms and viruses.
After discussing the "60-day rule", Eschelbeck went on to present another key point from the Law of Vulnerability project: half of all affected systems are patched within 30 days of the vulnerability's announcement -- while the other half remain open to attack.
These unpatched systems keep vulnerabilities -- and the worms and viruses that take advantage of them -- alive on the Internet long after they're released. As an example, Eschelbeck cited the MS Index Server vulnerability that gave rise to Code Red in 2001. Code Red disappeared for a while, but now is back thanks to the recent appearance of unpatched installations of the server software.
Joining Eschelbeck at the Black Hat session were several other security experts, including Black Hat Briefings CEO Jeff Moss and BindView's Mark Loveless (aka Simple Nomad). Loveless pointed out that along with public announcements, malicious users find out about unannounced or recently announced vulnerabilities through an online "black market."
This means malicious users may know about even more vulnerabilities than many security experts or the general public, and underscores the need for software developers to hold off on releasing products until they are truly secure.
Of course, in the end, it's the often overworked system administrators who are responsible for patching vulnerable systems, and who catch hell when a new virus takes down their company's network (or, worse, part of the Internet).
Eschelbeck's research gives these admins ammunition when asking management for more resources to do this work. Often, patches are not applied in a timely manner simply because an IT department is too busy with other tasks. With hard data now available that shows the lifecycle of vulnerabilities, I hope more systems will be updated sooner -- and, as a result, both corporate networks and the Net will become safer for all users.