Firms Patch Some Bugs Quicker Than Others
Vulnerabilities in core software are dealt with quickly, while other applications have to wait.
Companies give priority to patching core software, such as Microsoft’s
Windows and Internet Explorer, according to the latest data from vulnerability-scanning
firm Qualys.
The firm found that companies take about a month to patch half of all
vulnerable systems–a data point the firm refers to as the “vulnerability
half-life”–and only 15 days to patch half of their core Microsoft
systems. Desktop applications, such as Microsoft Office and Adobe Reader,
require far longer to patch, says Wolfgang Kandek, chief technology officer of
Qualys. The firm released its Laws of Vulnerabilities study on
Wednesday at the Black Hat
Security Conference in Las Vegas.
Companies are “very, very slow” at patching Adobe software on their desktop
systems, Kandek says.
“With Word and Excel, you can see that someone is [patching] the
software,” he says. “But with Adobe, they don’t seem to have focused
on it yet.”
This story is only available to subscribers.
Don’t settle for half the story.
Get paywall-free access to technology news for the here and now.
Subscribe now
Already a subscriber?
Sign in
You’ve read all your free stories.
MIT Technology Review provides an
intelligent and independent filter for the
flood of information about technology.
Subscribe now
Already a subscriber?
Sign in
Qualys, whose service allows companies to scan for known vulnerabilities, released initial
data on the trends in vulnerabilities and patching in April. The company
found that manufacturing firms were the slowest to patch their systems, taking
more than 50 days to patch half their computers, while financial and retail
industries took less than 25 days.
The latest study gives more details about another trend: Companies are slow
to patch popular, but non-Microsoft, software. Most applications have an
automated update feature, or at least check for updates, but many companies do
not allow their desktop systems to patch themselves.
“By managing the process themselves, it gives them a chance to check
things (such as compatibility issues), but at the expense of being
vulnerable,” Kandek says. Adobe expects to patch a major vulnerability in its Flash Player and Adobe
Reader and Acrobat later this week.
“The main threats have migrated to the desktop, so it would be a good
time to review how you [as a company] patch the desktop,” Kandek says.