Plugging Security Vulnerabilities -- What's the Hurry?
More on security vulnerabilities
How secure are your server OSes? Not as secure as they could be, probably. That's because no matter how hard you may be working to keep them secure, many of the third parties you rely on to contribute to your server OS security are likely letting you down. To put it bluntly, they are more interested in making money than in ensuring your servers are safe.The latest time line in fixing security vulnerabilities is a whopping 11.6 days. Why does it take vendors such a long time to recognize and detect new viruses, and is there anything you can do to protect your server OSes?
Among the security measures you take, you probably protect your servers using an anti-virus scanner that uses virus signatures. But there's less than a 19 percent chance that your scanner will detect a new malware attack, according to a report, "Malware Detection Rates for Leading AV Solutions" from the security company Cyveillance. That's not an impressive figure, but you could argue it's not surprising: AV scanners are best at spotting known threats, and a new threat can't be "known" until the AV vendor has spotted it and added the new threat's signature to the scanner.
But how long should it take for this to happen? A day? Two? Three? Unbelievably it turns out that, on average, top AV vendors take 11.6 days to recognize and detect new viruses. Unbelievable perhaps, but true.
This, of course, begs the question, why does it take such a long time? Can it possibly be justified? There seems to be no sense of urgency here. No doubt it comes down at least in part to a question of economics: Faster response times would be more expensive to achieve. It's worth noting that many AV vendors use heuristics as well as signatures to recognize the presence of malware, but that's still no excuse for being so slack in updating virus signature files.
One suspects it is also a question of economics when it comes to the inexcusably long time it takes many software vendors to patch their products. How else do you explain that it can take some vendors many, many months from the time they become aware of a vulnerability to the time a fix is released? In many cases these vulnerabilities can lead to arbitrary code execution on the underlying server operating system, yet for months at a time the vendors appear to do nothing about the vulnerabilities, preferring to work on more profitable tasks.
In simple economic terms this behavior is not surprising. The interests of the vendor and the customer conflict, and the vendor works in its own best interest, not that of its customer.
Last week, HP TippingPoint helped put a little more pressure on vendors to patch known security bugs faster, announcing if flaws submitted to its Zero Day Initiative program aren't fixed within six months, it will publically release limited details of the vulnerabilities so end-users can take their own precautionary measures. "By establishing a deadline, ZDI is encouraging vendors to fix affected software quickly, reducing the risk of potential security attacks through identified weaknesses in these applications," the company said.
This is good news, as it makes it more in a vendor's interest to fix bugs before details of vulnerabilities are released and harmful bad press ensues. Vendors' and customers' interests are therefore more aligned, and the result may be that vulnerabilities get fixed faster.
Don't let the old vendor argument that bug fixing can't be rushed and can take months to develop and test properly fool you -- most software makers can produce patches in a hurry when it is in their interest to do so. This is perfectly demonstrated by Apple (NASDAQ: AAPL), a company famous for ignoring critical vulnerabilities in OS X long after the same flaws in other operating systems have been fixed. Last month, a group of Apple enthusiasts known as the iPhone Dev-Team exploited a vulnerability in the company's iOS4 mobile operating system to provide Apple's iPhone and iPod Touch customers with a jailbreak. A jailbreak is a perfectly legal way of freeing these devices from the restrictions Apple places on the software they can run, but which arguably could harm Apple's profits. If this had been a plain old security vulnerability that simply put its customers at risk, then you might reasonably have not expected a fix for seven months, nine months or even two years.
However, different rules apply when it comes to fixing a jailbreak. "We're aware of this reported issue, we have already developed a fix, and it will be available to customers in an upcoming software update," an Apple spokeswoman reportedly said last week.
So you see, even the laziest vendors with the worst records of vulnerability patching can produce a fix in a matter of days when they feel like it. However, getting them to move this quickly when it's your security rather than their money that's at stake is another matter altogether.
Paul Rubens is a journalist based in Marlow on Thames, England. He has been programming, tinkering and generally sitting in front of computer screens since his first encounter with a DEC PDP-11 in 1979.