Companies patching security holes faster

The survey, released Wednesday by vulnerability assessment firm Qualys at the Black Hat Security Briefings here, found that the average half-life of a vulnerability--the length of time it takes for half of assailable computers to be fixed--has fallen to 21 days this year from 30 days in 2003.

However, the report found improvements only with systems connected directly to the Internet. Administrators took longer to patch computers located within a local area network, believing they were safe. Companies are typically patching flaws in internal systems within 62 days this year; Qualys did not measure the time it took to patch internally in 2003.

"If you look at the challenge that companies have internally, it is a factor of 10 more complicated," said Gerhard Eschelbeck, chief technology officer at Qualys.

The numbers are the best-case scenario for how quickly companies patch their systems. Qualys only collects anonymous data from its clients. Because those clients use Qualys' flaw-finding service, they are generally safer than companies not concerned with security--the average company connected to the Internet is likely to patch flaws much slower, Qualys said.

The slow rate at which companies update their systems has caused software makers such as Microsoft to look for better ways to secure customers that have not patched. Those companies need to start fixing their systems, Eschelbeck said.

"Knowing where your problems are is the first step, and then figuring out how critical each problem is is the next," he said.

Moreover, if the average time that companies stay connected to the Internet shrinks, the window of time that worm writers can exploit vulnerabilities to spread their programs is lowered as well.

"We will see those worms hitting in the first two half-lives," Eschelbeck said. "So the first two half-lives are the most important times, because they act as a breeding ground."