Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Information-Security-News
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISN] OSS means slower patches

from [InfoSec News] Network Security [Permanent Link]
Subject: [ISN] OSS means slower patches
Date: Tue, 20 Sep 2005 03:07:29 -0500 (CDT) 
http://australianit.news.com.au/articles/0,7204,16650762%5E15306%5E%5Enbv%5E,00.html

Chris Jenkins
SEPTEMBER 19, 2005  
 
THE growing popularity of open-source browsers and software may be
responsible for the increasing gap between the exposure of a
vulnerability and the provision of patch to fix it, security software
vendor Symantec has said.

In its second Internet Security Threat Report for 2005, Symantec found
the time from vulnerability to the availability of a patch has "blown
out" to 54 days in the period from January to June, Symantec Australia
managing director David Sykes said.

Symantec had not published previously statistics on the average time
required to produce patches, but Mr Sykes said data showed the lag had
previously been about 30 days.

An average of 10 new vulnerabilities per day were discovered during
the first half of 2005, Mr Sykes said. In practice, large companies
with around 10,000 employees were now looking at 50 days between
vulnerability and the installation of patches across systems, he said.

Mr Sykes said the increasing popularity of open source software, such
as the Mozilla Foundation's Firefox browser, could be part of the
reason for the increase in the gap between vulnerability and patch,
with the open source development model itself part of the problem. "It
is relying on the goodwill and best efforts of many people, and that
doesn't have the same commercial imperative," he said. "I'm sure that
is part of what is causing the blow-out in the patch window."

"The Mozilla family of browsers had the highest number of
vulnerabilities during the first six months of 2005, with 25," the
Symantec report says. "Eighteen of these, or 72 per cent, were rated
as high severity. Microsoft Internet Explorer had 13 vendor confirmed
vulnerabilities, of which eight, or 62 per cent, were considered high
severity."

The growth in Firefox vulnerability reports coincides with its
increasing popularity with users. "It is very clear that Firefox is
gaining acceptance and I would therefore expect to see it targeted,"  
Mr Sykes said. "People don't attack browsers and systems per se, they
attack the people that use them," he said. "As soon as large banks
started using Linux, Linux vulnerabilities started to get exploited."

The report also found that recent internet attacks had aimed at
different targets. "For the first time, the education sector and small
business came in front of financial services as the most attacked
industries," Mr Sykes said.

 

_________________________________________
InfoSec News v2.0 - Coming Soon! 
http://www.infosecnews.org
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISN] OSS means slower patches, InfoSec News <=
Previous by Date:  [ISN] Financial Firms Create Disaster Recovery Standards, InfoSec News
Next by Date:  [ISN] Two of accused hacker trio allowed back in Bay High classes, InfoSec News
Previous by Thread:  [ISN] Financial Firms Create Disaster Recovery Standards, InfoSec News
Next by Thread:  [ISN] Two of accused hacker trio allowed back in Bay High classes, InfoSec News
Indexes:  [Date] [Thread] [Top] [All Lists]