North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: AV/FW Adoption Sudies

  • From: Eric Rescorla
  • Date: Thu Jun 10 11:52:42 2004

[email protected] writes:
> On Wed, 09 Jun 2004 18:45:55 EDT, Sean Donelan <[email protected]>  said:
>
>> The numbers vary a little e.g. 38% or 42%, but the speed or severity or
>> publicity doesn't change them much.  If it is six months before the
>> exploit, about 40% will be patched (60% unpatched).  If it is 2 weeks,
>> about 40% will be patched (60% unpatched).  Its a strange "invisible hand"
>> effect, as the exploits show up sooner the people who were going to patch
>> anyway patch sooner.  The ones that don't, still don't.
>
> Remember that the black hats almost certainly had 0-days for the
> holes, and before the patch comes out, the 0-day is 100% effective.

What makes you think that black hats already know about your
average hole?


> Once the patch comes out and is widely deployed, the usefulness of
> the 0-day drops.
>
> Most probably, 40% is a common value for "I might as well release
> this one and get some recognition".  After that point, the residual
> value starts dropping quickly.

I don't think this assessment is likely to be correct. If you look, for
instance, at the patching curve on page 1 of "Security holes... Who
cares?" (http://www.rtfm.com/upgrade.pdf) theres'a pretty clear flat
spot from about 25 days (roughly 60% patch adoption) to 45 days
(release of the Slapper worm). So, one that 2-3 week initial
period has passed, the value of an exploit is roughly constant
for a long period of time.

-Ekr