Shortening security patch windows present new threats

Hackers and so-called cyber criminals are developing malicious code to exploit known vulnerabilities much faster than before, according to a report released by Internet Security Systems (ISS). The X-Force Threat Insight Quarterly highlights that vulnerabilities in 2005 increased by more than 33% over 2004’s numbers, and that businesses are leaving themselves open to attack in some cases for weeks. Analysts evaluated 4,472 hardware and software vulnerabilities last year, and found that from announcement on the internet, malicious code surfaced within 24 hours for 3.13% of threats, and within 48 hours for 9.38%. “We are seeing an increase in ‘zero-day exploits’ from hackers appearing at the same time the vulnerability is published,” warns Gunter Ollman, director of X-Force at ISS. “This does not allow product developers the time to test and issue the necessary patches needed by end-users and enterprise administrators. Users without pro-active protection are quite often without protection against threats for several days or even weeks.” Worryingly, 12.5% of the threats had code included in disclosure. This means that malicious code had been entered into the wild as soon as the vulnerability had been published. The belief is that hackers are actively looking for vulnerabilities and only publish once they have developed an exploit for them. Hence the time frame between publication of a vulnerability and release of malicious code – the patching window – getting alarmingly short. “It is anticipated that the period between vulnerability disclosure and public availability of exploit material will continue to shrink, particularly for high profile vulnerabilities lying in default network services associated with popular desktop operating systems,” says Ollman. “The rapid development of exploit code following public disclosure will inevitably lead to increasing infection rates of bot-worms and malware, such as spyware and rootkit installer agents.”