The Sad State of Vendor Patches
A controversial new report shows vendors are leaving enterprises seriously exposed.
More than half of all security vulnerabilities go unpatched. Even worse, almost three-quarters of "Critical" or "Severe" vulnerabilities aren't patched. That's one provocative nugget from the 2010 Mid-Year Trend and Risk Report published last month by IBM Corp.'s X-Force security services unit.
The report serves up a fascinating assessment of the state of vulnerability patching among software vendors. It underscores an especially trenchant lesson: when it comes to security, everything could use a little patching up.
Biannual reporting, however, seems to be an especially tough job. After discovering flaws in the methodology it used to produce its year-end 2009 report, IBM X-Force says it developed a new methodology for its 2010 Mid-Year effort.
The first version of the IBM X-Force report indicated that Google Inc. failed to patch almost 10 percent of extant security vulnerabilities -- including a staggering 33 percent of high-risk vulnerabilities -- a finding that Google representatives strongly disputed. "The truth is that maintaining an accurate and reliable database of this type of information is a significant challenge," argued Adam Mein, security program manager for Google, in a posting on his company blog.
"We questioned a number of surprising findings [in the X-Force report] concerning Google's vulnerability rate and response record, and after discussions with IBM, we discovered a number of errors that had important implications for the report's conclusions. IBM worked together with us and promptly issued a correction to address the inaccuracies."
After Google cried foul, its tally was revised downward -- significantly. According to IBM X-Force, Google this year dutifully patched all known vulnerabilities.
Google wasn't alone. Representatives from the former Sun Microsystems Inc., which IBM X-Force christened 2010's most egregious patching offender (Sun failed to patch almost one-quarter of all known vulnerabilities, according to the first draft of the IBM X-Force report), likewise took issue.
IBM X-Force thereafter revised Sun's tally downward. Sun went from a 24 percent failure-to-patch rate to a less risible 8 percent.
That left Microsoft and the Mozilla Foundation as the biggest -- or most egregious -- offenders. As of July, Microsoft had neglected to patch almost one-quarter (23.2 percent) of extant 2010 vulnerabilities; Mozilla, for its part, failed to patch more than one-sixth (17 percent) of 2010 flaws.
Microsoft was also the leading offender in 2009, when it neglected to patch almost one-sixth -- 15.8 percent -- of vulnerabilities. Mozilla came in at No. 3, just behind Hewlett-Packard Co., with a 12 percent failure-to-patch rate. Just 2.6 percent of vulnerabilities went unpatched by Sun last year.
Not all vulnerabilities are equally critical, however. Some are esoteric (presupposing the existence of extremely specific or (in some cases) highly unlikely scenarios or configurations); limited in scope (i.e., aren't linked to big-ticket exploits such as remote code execution or denial-of-service attacks); affect infrequently used code, services, or features; or are mitigated (and, in some cases, addressed entirely) by common security best practices.
In this respect, Microsoft and Mozilla fared slightly better. Combined, both vendors accounted for 40 percent of all unpatched vulnerabilities. Through the first half of 2010, however, Microsoft hadn't issued patches for 7 percent of all "Critical" or "Severe" vulnerabilities. Mozilla failed to patch just 4 percent of all "Critical" or "Severe" vulnerabilities.
During the survey period, more than one-fifth (22 percent) of all high-risk flaws went unpatched by Oracle Corp., which otherwise accounted for just 7 percent of unpatched vulnerabilities.
IBM was even worse: it accounted for 9 percent of the unpatched tally but failed to patch almost 30 percent of "Critical" or "Severe" vulnerabilities.
Novell Inc. likewise broke the double-digit barrier: although it only accounted for 5 percent of all unpatched vulnerabilities, it failed to patch 10 percent of high-risk flaws.