Black Hat: Moderate Flaws Threaten Networks
Study finds enterprises are patching more critical software vulnerabilities, but less moderate flawsleaving networks exposed to a large variety of vulnerabilities.LAS VEGASNew research unveiled Wednesday shows that while enterprises are fairly diligent about patching critical software vulnerabilities, they are paying less attention to more moderate flaws and thus leaving their networks exposed to a large variety of vulnerabilities. For vulnerabilities identified as critical, the number of vulnerable systems drops by 50 percent every 30 days, according to data assembled as part of an ongoing research effort by Gerhard Eschelbeck, CTO of Qualys Inc., based in Redwood Shores, Calif. This so-called half-life of a vulnerability doubles with each progressively lower degree of severity. In fact, Eschelbeck found that some flaws have a virtually unlimited lifespan. A case in point is the vulnerability in Microsoft Corp.s Index Server and Indexing Service ISAPI extension, which was exploited by the Code Red worm two years ago. After an initial flood of patching activity before and after the worm was released, the number of vulnerable systems has been steadily rising again for more than a year. Eschelbeck attributes this mainly to companies bringing new servers online and failing to install the needed patches and service packs.
The research project, which Eschelbeck calls "The Laws of Vulnerabilities," also shows that 80 percent of all exploits are available within 60 days of the publication of the vulnerability information.