ZDI Releases Advisory on Unpatched Zero-Days

By Brian Prince  |  Posted 2011-02-07

Six months ago, the HP TippingPoint Zero Day Initiative (ZDI) made a decision - it was going to cap the amount of time it gave vendors to patch before releasing vulnerability information to six months.

The move, Aaron Portnoy, manager of Security Research for TippingPoint, blogged at the time, was meant to force vendors to get faster at closing security holes. Back then, there were 31 high-risk vulnerabilities reported to vendors by ZDI that were a year old and still hadn't been patched. The latest report card for vendors, however, is a bit better.

ZDI has reported 186 zero-days in the last six months, and vendors have patched nearly 90 percent of them. That leaves just 22, which the ZDI team has listed here along with general details.

"We witnessed an 89 percent patch rate compared to where we were with these vulnerabilities six months ago," said Dan Holden, director of HP TippingPoint DVLabs. "Vendors really seem to have reacted well to our policy change and the big winners are customers worldwide that are at a reduced risk because of patches being delivered in a more timely manner."

The vulnerabilities touched a number of vendors, including EMC, Novell and Microsoft. Jerry Bryant, Microsoft's group manager of response communications, told eWEEK the company is working on patches for the problems, but had discovered issues along the way that would have prevented customer deployment. The patches, however, will come "in the near future," he said.

"Microsoft appreciates that ZDI chose to reveal relatively little information about individual vulnerabilities, diminishing the likelihood that attackers could use the information to put customers at risk," Bryant said.

Rocket Fuel