Matthew Broersma, Techworld

09 March 2006

Test shows how vulnerable unpatched Windows is

Symantec reveals how quickly unpatched Microsoft software is compromised.

A test has revealed that a Linux server is far less likely to be compromised. In fact, unpatched Red Hat and SuSE servers were not breached at all during a six-week trial, while the equivalent Windows systems were compromised within hours.

An unpatched Windows 2000 Server was the quickest to be compromised, at an hour and 17 minutes, while unpatched Windows Server 2003 lasted slightly longer. Windows XP Professional, unpatched, lasted one hour and 12 seconds. Meanwhile, Unpatched Red Hat Enterprise Linux 3 and SuSE Linux 9 Desktop weren't compromised during the month and a half it was exposed to the Internet.

However, patching does make a difference. Patched versions of Windows fared far better, remaining untouched throughout the test, as did the Red Hat and Suse deployments.

The results of the test were confirmed by Symantec's other finding, Companies were at risk from unpatched software bugs for an average of 42 days per bug during the second half of last year, according to the company's latest semi-annual Internet Security Threat Report, released this week.

The report also found that the Firefox browser had fewer vulnerabilities than Microsoft Internet Explorer, due to a revision in the way Symantec counts bugs; and that unpatched versions of Windows last just over an hour on the Internet before being compromised, among other findings.

The report highlights the fact that even quick patching isn't enough to keep software secure, since exploit code began to circulate an average of 6.8 days after the disclosure of a vulnerability, while a vendor-supplied patch wasn't available until an average of 49 days after disclosure, Symantec said.

Symantec's figures deal with averages, and thus overlook the fact that vendors usually patch the most serious bugs more quickly than less dangerous flaws, minimising risk somewhat. Still, so-called "zero day" flaws are becoming more common, even in high-profile applications such as Internet Explorer. In August, for example, a researcher warned of an unpatched hole affecting IE 6 on a fully-patched Windows Server 2003 and Windows XP with Service Pack 2.

The report now features two different ways of counting browser bugs: one that finds that Internet Explorer has the most vulnerabilities, and a second that reveals Firefox as the bug leader.

Firefox had the highest number of vendor-confirmed vulnerabilities, with 13 bugs reported during the six months covered by the report, compared with Internet Explorer's 12, said Dave Cole, a director of Symantec Security Response.

However, the latest report also includes a count of bugs found by security researchers that have not been confirmed by Microsoft or the Mozilla Foundation, which owns Mozilla. By that count, Internet Explorer had the most security issues: 24, compared with Firefox's 17.

Symantec decided to begin counting the unconfirmed bugs "partially in response" to feedback from the Mozilla team after publishing its previous report in September 2005. That report counted only confirmed bugs, with 18 for Firefox and 13 for Internet Explorer. "We said, 'OK, for the next report we'll look at them both,'" Cole said. "It's something we might have looked at anyway."

Open-source projects tend to have more vendor-confirmed bugs because of the transparency of the bug-fixing process, according to Symantec.

The report found that attackers are increasingly targeting web applications and are tending to use more modular, easily updated code. The company documented 1,895 new software vulnerabilities, the highest number since 1998, of which 97 percent were moderately to highly severe and 79 percent were easy to exploit.

main page ATTRITION feedback