Today, 56% of software vulnerability warnings get released on the same day as a related patch, up from 48% just two years ago. Furthermore, half of the remaining vulnerabilities now get patched within 30 days.
Those findings come via vulnerability information provider Secunia, which on Thursday released its Half Year Report 2011.
According to the study, the prevalence of some types of attacks has been shifting. From
July 2009 to July 2011, for example, the number of vulnerabilities involving remote attacks decreased by 5.5%, while the number of local network attacks increased by 4.4%. "This is good news," Stefan Frei, Secunia's research analyst director, said in a phone interview. That's because local network attacks require an attacker to have physical access to targeted systems, meaning they're harder to execute, and easier to defend against.
In the same timeframe, the report also found that the number of highly critical vulnerabilities--one rung down from "extremely critical" bugs, which are the worst--increased by 4%, while the number of moderate bugs decreased by 7%. Why the increase in critical vulnerabilities? According to some security experts, it's not because applications are necessarily becoming less secure, but rather that vulnerability toolkits, at least in the hands of an experienced security researcher, are becoming more automated and powerful.
As security researchers find more critical vulnerabilities, it's more important than ever for vendors to patch in a timely manner, and whenever possible to work closely with security researchers on coordinated vulnerability disclosures that don't publicize bugs until vendors have a patch ready. In recent years, many vendors--notably Microsoft--have made a concerted effort to push coordinated disclosures. Are such efforts paying off?
"Yes it is working, at least in most cases," Thomas Kristensen, chief security officer at Secunia, said in a phone interview. "Unfortunately, there are always those exceptions, where for some reason the researcher and the vendor can't cooperate. We've seen it go both ways. Sometimes the researcher is unreasonable. And sometimes the vendor just doesn't understand it, and they can't get into a proper dialog, treat it with the priority they should, and get back to the researcher."
One big boost for working together, however, has been Microsoft's rebranding of "responsible disclosure" into the much more neutral-sounding "coordinated disclosure." Kristensen said the change was essential, because instead of implying that disclosures are either responsible or irresponsible, they're simply coordinated or uncoordinated. Furthermore, a security researcher may have very good reasons for making an uncoordinated announcement, for example if a vendor ignores their information.
But overall, "Microsoft is doing a great job of going into a dialog," said Kristensen. "Some vendors have a different attitude, Apple being one of them, where they say that we're not going to say anything until the day we confirm the patch. And vendors that have an attitude like that, they might scare some people off."
On the other hand, Apple's approach to vulnerability disclosures doesn't appear to have hurt the company's market share. "There aren't that many attacks against the Apple platform, despite the fact that there are many vulnerabilities that could be potentially exploited," said Kristensen. "But with the progress from Apple, and the number of devices coming out, it's bound to happen one day. But before we see such attacks in large numbers, I think they can get away with quite a bit."
Black Hat USA 2011 presents a unique opportunity for members of the security industry to gather and discuss the latest in cutting-edge research. It happens July 30-Aug. 4 in Las Vegas. Find out more and register.
