Black Hat: Moderate Flaws Threaten Networks

Study finds enterprises are patching more critical software vulnerabilities, but less moderate flaws-leaving networks exposed to a large variety of vulnerabilities.

LAS VEGAS—New research unveiled Wednesday shows that while enterprises are fairly diligent about patching critical software vulnerabilities, they are paying less attention to more moderate flaws and thus leaving their networks exposed to a large variety of vulnerabilities.

For vulnerabilities identified as critical, the number of vulnerable systems drops by 50 percent every 30 days, according to data assembled as part of an ongoing research effort by Gerhard Eschelbeck, CTO of Qualys Inc., based in Redwood Shores, Calif. This so-called half-life of a vulnerability doubles with each progressively lower degree of severity. In fact, Eschelbeck found that some flaws have a virtually unlimited lifespan.

A case in point is the vulnerability in Microsoft Corp.s Index Server and Indexing Service ISAPI extension, which was exploited by the Code Red worm two years ago. After an initial flood of patching activity before and after the worm was released, the number of vulnerable systems has been steadily rising again for more than a year. Eschelbeck attributes this mainly to companies bringing new servers online and failing to install the needed patches and service packs.

The research project, which Eschelbeck calls "The Laws of Vulnerabilities," also shows that 80 percent of all exploits are available within 60 days of the publication of the vulnerability information.

In announcing the results of his 18-month project—which gathered data from more than 1.5 million individual systems—Eschelbeck also unveiled a plan to help reduce the half-life of vulnerabilities to 15 days within a year. A new Web site——will maintain a continuously updated list of the top 10 most prevalent and critical vulnerabilities. The site will also have a free tool that can scan any given IP address for the current top 10 flaws.

"There is some room for improvement there. I think we can get it to 20 or 15 days," Eschelbeck said at the Black Hat Briefings here.