In his analysis, Ransbotham found that attacks on vulnerabilities in open-source software occurred sooner than attacks on closed-source software, as measured from the first report of the vulnerability by each company. In addition, a greater number of companies were eventually targeted with attacks on each vulnerability, on average. In both cases, however, the number of attacks eventually saturated.

"As defenders get out their patches, the attackers have more incentive to move on to a different exploit," Ransbotham says.

The ability to access open-source code is not the only advantage given to attackers. Ransbotham analysis showed a correlation between the existence of signatures--used by various security products to match a known pattern with a flaw--and earlier attacks, suggesting that the updates used by defenders to improve their defense actually help attackers.

"That tells me that there is something about having that signature that is helping people... giving them a clue about how to exploit the vulnerability," Ransbotham says.

Other research has suggested that signatures--and other defensive measures--leak information to attackers. In 2007, two security consultants described using signatures from a popular intrusion detection system to create attack code. In 2008, academic researchers created a system for generating potential exploit code based on automatic analysis of the patches released by software companies.

Security professionals warn not to read too much into Ransbotham's analysis, however. Many factors could skew the data, says David Aitel, chief technology officer of security firm Immunity, which--among its services--creates exploits to test corporate network defenses. Only 30 of the 97 vulnerabilities targeted by attackers were in open-source software, according to Ransbotham's paper, which means that relatively few vulnerabilities were attacked far more often, says Aitel. He argues that attackers might indiscriminately inundate a company's network with attacks on relatively unimportant open-source software, while focusing more serious attacks on more important systems running closed-source software.

Because Immunity's clients are most concerned about systems running closed-source software such as Microsoft Windows, Internet Explorer, Adobe Acrobat, and Sun's Java, Immunity's researchers attempt to exploit flaws in closed-source software within 24 hours of when they are first reported. Open-source software vulnerabilities are given a much lower priority.

"Drawing a broad conclusion that open-source software is easier to exploit is definitely not true," he says. "You could draw the exact opposite conclusion from the body of exploits that are available on [research sites, such as] Packetstorm."

Other security professionals take a broader view, that it's less about open- or closed-source and more about how a company develops its software. Attackers can eventually get the information they need to exploit a bug, whether through automated attack software, by reverse engineering patches, or by somehow gaining access to the source code, so companies should expect that, says Gary McGraw, chief technology officer of Cigital, a software-security consultancy.

"It is a myth that you have to have source code to exploit vulnerabilities," McGraw says. "You (software developers) need to realize that your software is out there, and you are giving your attacker everything they need to exploit it."