Windows Users Patch Fastest Amid Media's Zero-Day Hype

A researcher says publicity is the top reason why IT moves quickly to fix zero-day bugs.

Widespread publicity is probably the biggest driver in persuading IT managers to fix Windows zero-day bugs, not simply the fact that Microsoft sounds the alarm by issuing an emergency update, according to researcher Qualys Inc.

Zero-day vulnerabilities -- those for which exploit code has gone public before a fix is ready -- are widely reported on Internet news sites and dissected by bloggers and thus capture the attention of network managers and IT executives, who want them fixed pronto, said Wolfgang Kandek, chief technology officer at Qualys.

Kandek said last week that he reached that conclusion based on an analysis of data acquired from several hundred thousand PCs that the Redwood Shores, Calif.-based security risk and compliance management provider monitors for its customers.

Well-publicized zero-day Windows bugs are patched quickly by IT operations, whether the fixes are issued as part of Microsoft's standard monthly Patch Tuesday release or in an emergency out-of-band update, Kandek's research found.

"This tells me that media coverage is what helps," he said last week. "While [the media] covers the usual Patch Tuesday updates, it doesn't come close to the attention a zero-day receives."

A December 2009 Patch Tuesday update that fixed five flaws in Internet Explorer, including one zero-day bug, reached "half-life" -- the point at which 50% of machines have been patched -- in 10 days, and a January 2010 patch rushed out the door ahead of schedule made it to the half-life mark in nine days, Kandek found.

The two zero-day fixes reached half-life about 36% faster than the average 15-day half-life of operating-system-level updates overall, according to Kandek.

He noted that the survey also found that some organizations are taking longer than Microsoft's recommended 30 days to patch vulnerabilities, while others don't apply the security updates at all.

"I don't understand why," Kandek said. "Microsoft's essentially saying that most of the vulnerabilities can be exploited after 30 days [and] that [attackers] could probably have exploits if they wanted them."

Coincidentally, Microsoft last week issued its second out-of-band update of the year.

The 10 new IE patches include a fix for a zero-day vulnerability that has been used by attackers for at least several weeks.

Microsoft rated each of the 10 patches as "critical," the highest level in its four-step scoring system. All had been slated for release on Tuesday, April 13.

HD Moore, chief security officer at Boston-based security firm Rapid7, said that Microsoft had no choice but to make the out-of-band updates when a Taiwanese researcher nicknamed "Nanika" revamped public exploit code of one bug so that it worked reliably against both IE6 and IE7.

"Before, Microsoft said, 'Not that big a deal,' but then the facts changed and they say, 'Sorry, this does affect IE7 reliably.' They changed their mind," Moore noted.

Andrew Storms, director of security operations at San Francisco-based nCircle Network Security Inc., said that last week's update should convince users to "get onto IE8 -- not just ditch IE6, but dump IE6 and IE7."

The patches fixed seven bugs, five rated critical, in IE7, which debuted in 2006 prior to the release of Windows Vista. The year-old IE8 was touched by just three of the 10 vulnerabilities, with only two rated as critical.

This story was originally published in Computerworld's print edition. It was adapted from an earlier version that first ran on Computerworld.com.

Copyright © 2010 IDG Communications, Inc.

9 steps to lock down corporate browsers
  
Shop Tech Products at Amazon