mailing list archives
Any study on patch availability?
From: sudhakar+fulldisclosure () CS Princeton EDU
Date: Sun, 26 Dec 2004 12:26:17 -0500 (EST)
Holiday season greetings.
I am a PhD student at Princeton studying security. I am interested in
studying vulnerability statistics. I am interested in answering questions
1. Which are the programs where bugs are found often?
2. Which vendors tend to be frequently affected?
3. What are the common vulnerabilities (buffer overflows I guess)?
4. How often are patches available before a vulnerability is publicly
5. How much time does it take for a typical vendor to patch the bug?
diligent are various vendors regarding releasing patches?
6. What are the OS specific statistics?
7. How diligent are users/administrators regarding patching? In some cases
there might be genuine reasons why you cannot patch (loss of availability
etc.). I am aware of "Security holes... Who cares?" by Eric Rescorla.
8. Have there been situations when a patch has not been available for a
long time, say more than a month.
I am primarily interested in seeing how fast the patches are out. I am
more interested in knowing about those situations when a patch is not
available fast. What did people do to avoid getting hit? I would
appreciate some concrete examples. So I am mostly interested in questions
4, 5, and 8.
Has someone already studied these patterns? Can the community refer me to
some useful links? I would appreciate concrete examples and a quantitative
analysis. I have talked to a few system administrators. But I am confused
whether patch availability is indeed a problem. Unfortunately, the answer
is specific to what software you are running and the answer tends to be
Thanks in advance,
Sudhakar Govindavajhala Department of Computer Science
Graduate Student, Princeton University
Ph : (lab) +1 609 258 1763 (office) +1 609 258 1798
Full-Disclosure - We believe in it.
- Any study on patch availability? sudhakar+fulldisclosure (Dec 26)