http://australianit.news.com.au/articles/0,7204,16650762%5E15306%5E%5Enbv%5E,00.html Chris Jenkins SEPTEMBER 19, 2005 THE growing popularity of open-source browsers and software may be responsible for the increasing gap between the exposure of a vulnerability and the provision of patch to fix it, security software vendor Symantec has said. In its second Internet Security Threat Report for 2005, Symantec found the time from vulnerability to the availability of a patch has "blown out" to 54 days in the period from January to June, Symantec Australia managing director David Sykes said. Symantec had not published previously statistics on the average time required to produce patches, but Mr Sykes said data showed the lag had previously been about 30 days. An average of 10 new vulnerabilities per day were discovered during the first half of 2005, Mr Sykes said. In practice, large companies with around 10,000 employees were now looking at 50 days between vulnerability and the installation of patches across systems, he said. Mr Sykes said the increasing popularity of open source software, such as the Mozilla Foundation's Firefox browser, could be part of the reason for the increase in the gap between vulnerability and patch, with the open source development model itself part of the problem. "It is relying on the goodwill and best efforts of many people, and that doesn't have the same commercial imperative," he said. "I'm sure that is part of what is causing the blow-out in the patch window." "The Mozilla family of browsers had the highest number of vulnerabilities during the first six months of 2005, with 25," the Symantec report says. "Eighteen of these, or 72 per cent, were rated as high severity. Microsoft Internet Explorer had 13 vendor confirmed vulnerabilities, of which eight, or 62 per cent, were considered high severity." The growth in Firefox vulnerability reports coincides with its increasing popularity with users. "It is very clear that Firefox is gaining acceptance and I would therefore expect to see it targeted," Mr Sykes said. "People don't attack browsers and systems per se, they attack the people that use them," he said. "As soon as large banks started using Linux, Linux vulnerabilities started to get exploited." The report also found that recent internet attacks had aimed at different targets. "For the first time, the education sector and small business came in front of financial services as the most attacked industries," Mr Sykes said. _________________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Tue Sep 20 2005 - 01:22:09 PDT