Want CNET to notify you of price drops and the latest stories?

Study: Bad security flaws don't die

A study of Internet security flaws shows that for serious issues, half of vulnerable systems remain unfixed after 30 days.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
2 min read
LAS VEGAS--A study of Internet security flaws showed that for serious issues, half of vulnerable systems remain unfixed after 30 days.

The data--released Wednesday at the Black Hat Briefings security Conference here--also showed that some flaws don't completely die out over time but actually make a comeback. The vulnerabilities exploited by the Code Red and SQL Slammer worms, for example, are allowing those threats to reassert themselves on the Internet, said Gerhard Eschelbeck, chief technology officer for vulnerability-assessment company Qualys.

"There is something going on that is bringing vulnerabilities back to life," Eschelbeck said, adding that the main theory is that companies continue to install systems that include out-of-date software.

The study, which correlates nearly 1.5 million scans done by Qualys over a year and a half, underscores the need for customers to be more proactive about patching systems and for software makers to weed out vulnerabilities during development.

The more serious the vulnerability, the quicker the companies patched it, the study found. Companies took longer to fix flaws thought to be less serious--as much as 60 days longer--by which time, in 80 percent of the cases, security researchers and hackers had released programs to exploit the flaws.

The data seems to support assertions by the Organization for Internet Safety that companies need time to fix flaws and patch vulnerable systems.

Security researchers also attacked software vendors' seeming inability to eradicate the most serious bugs from their applications, saying that was a key problem in dealing with server insecurities.

Mary Ann Davidson, chief security officer for database maker Oracle, said her company takes good software seriously, but that many other companies still haven't learned the lesson.

"If you (a software company) do the math and you are serious about your reputation, you have every incentive to treat your customers' systems as if they were yours," Davidson said.

Davidson said better quality could come about through government requirements that call for federal purchasers to go with certified software.

"If the government is serious about demanding secure software, then the industry is going to have to change and provide it," Davidson said.

Davidson added the private sector should take a similar tack.