Security flaws have a half-life, just like radioactive materials, according to new research unveiled this week at the Black Hat security meetings being held in Las Vegas.
Rather than disappear entirely, security vulnerabilities only degrade in danger over time, said Gerhard Eschelbeck, the chief technology officer of Qualys, a vulnerability assessment and management firm in a presentation at the Black Hat Briefings, a conference of software and security experts that's currently convened.
Based on analysis of 1.24 million vulnerabilities scanned over an 18-month period, Eschelbeck's research laid out what he called the "Laws of Vulnerabilities", a group of observations about security flaws' behaviour and longevity.
Critical vulnerabilities, such as SQL Slammer, Code Red, and the in-the-news Microsoft Windows DCOM Remote Procedure Call vulnerability, have a half-life of 30 days, Eschelbeck said.
"Typically, within the first 30 days, only about 50 percent of the vulnerable systems are patched," said Eschelbeck. "That's a pretty reasonable response when you think about it," he added, but also noted that the data was a bit disappointing.
"I'm not surprised by the behaviour [of companies patching slowly]," he said, "but I expected the half-life to be shorter". In a presentation at Black Hat, Eschelbeck urged security firms and software companies to make an effort to drive down that half-life, and set a goal of 15 to 20 days by this time next year.
Another factor which may contribute to the 'half-life' phenomenon is that companies continue to bring online servers running older editions of operating systems or other software, which may be vulnerable because updates haven't been done.
The half-life analogy means that some vulnerabilities never disappear entirely. "In the second 30 days, another 50 percent of the vulnerable systems are patched," he said, "and another 50 percent in the 30 days after that. And so on and so on." It's like stepping half the distance to a door; theoretically, you never reach it.
The impossibility of eradicating a prominent, high-profile vulnerability, he said, is what drives another phenomenon: persistence.
Code Red, which wrecked havoc in 2001, is a good example. Even though it's fallen out of the public, and IT, eye, it's not gone. In fact, it's coming back, albeit in a slight way. "From April of 2002 to June of 2003, the data shows that Code Red vulnerabilities actually increased about five percent."
Vulnerabilities lower on the threat food chain, however, have a half-life double that of more critical flaws, because companies and organisations patch the most serious vulnerabilities first, then leave those they view as less dangerous for later, Eschelbeck said.
"The lower the degree [of the vulnerability] the longer the half-life."
Among his other 'laws' are ones that describe the prevalence and exploitation of vulnerabilities.
Half of the most common, and threatening, security holes are regularly refreshed annually with new vulnerabilities by attackers. And exploits for the bulk of vulnerabilities--80 percent--are available within 60 days of the flaw becoming known.
In response to the data it's collected and analysed, Qualys on Wednesday debuted a top 10 list of vulnerabilities that's updated daily, and so shows a real-time snapshot of the most prominent, and potentially dangerous, vulnerabilities.
Called the Real-Time Top 10 Vulnerabilities (RV10), the list is posted on the Qualys Web site.
Thursday's list included the Microsoft DCOM RPC vulnerability--the one that has government officials and security researchers concerned--as well as four others relating to Microsoft products. Others vulnerabilities on the top 10, which isn't ranked, include one for the Apache Web server and another for the Sendmail email server.
"Until our research, there was only anecdotal data on which vulnerabilities were most critical and prevalent," claimed Eschelbeck. "There was nothing to back it up.
"But this is an opportunity to predict the most prevalent vulnerabilities. With RV10, we're trying to give guidance of those vulnerabilities which are the most likely to be exploited."
The Windows DCOM RPC vulnerability deserves special attention, said Eschelbeck--repeating what most every other security expert has said over the past week--because of the speed with which it climbed the RV10 charts since its 16 July disclosure.
"Within two days, it was in the top 10, and within four, it was the top vulnerability," he said.