[ISN] OSS means slower patches

InfoSec News isn at c4i.org
Tue Sep 20 04:07:29 EDT 2005


Chris Jenkins
SEPTEMBER 19, 2005  
THE growing popularity of open-source browsers and software may be
responsible for the increasing gap between the exposure of a
vulnerability and the provision of patch to fix it, security software
vendor Symantec has said.

In its second Internet Security Threat Report for 2005, Symantec found
the time from vulnerability to the availability of a patch has "blown
out" to 54 days in the period from January to June, Symantec Australia
managing director David Sykes said.

Symantec had not published previously statistics on the average time
required to produce patches, but Mr Sykes said data showed the lag had
previously been about 30 days.

An average of 10 new vulnerabilities per day were discovered during
the first half of 2005, Mr Sykes said. In practice, large companies
with around 10,000 employees were now looking at 50 days between
vulnerability and the installation of patches across systems, he said.

Mr Sykes said the increasing popularity of open source software, such
as the Mozilla Foundation's Firefox browser, could be part of the
reason for the increase in the gap between vulnerability and patch,
with the open source development model itself part of the problem. "It
is relying on the goodwill and best efforts of many people, and that
doesn't have the same commercial imperative," he said. "I'm sure that
is part of what is causing the blow-out in the patch window."

"The Mozilla family of browsers had the highest number of
vulnerabilities during the first six months of 2005, with 25," the
Symantec report says. "Eighteen of these, or 72 per cent, were rated
as high severity. Microsoft Internet Explorer had 13 vendor confirmed
vulnerabilities, of which eight, or 62 per cent, were considered high

The growth in Firefox vulnerability reports coincides with its
increasing popularity with users. "It is very clear that Firefox is
gaining acceptance and I would therefore expect to see it targeted,"  
Mr Sykes said. "People don't attack browsers and systems per se, they
attack the people that use them," he said. "As soon as large banks
started using Linux, Linux vulnerabilities started to get exploited."

The report also found that recent internet attacks had aimed at
different targets. "For the first time, the education sector and small
business came in front of financial services as the most attacked
industries," Mr Sykes said.


More information about the ISN mailing list