Fog Creek Software
Discussion Board




Low uptake on security patches is OS independant

By way of the Cryptogram newsletter ( http://www.schneier.com/crypto-gram-0308.html ).

A rely interesting paper that examines the uptake of the OpenSSL patches from the anouncements right through the Slapper worm incident and beyond.

"For a number of reasons
we would expect mod_SSL users to be better than
average about installing security fixes:
• OpenSSL is security software and therefore its users
clearly desire security.
• OpenSSL users are overwhelmingly UNIX users and
UNIX users are widely believed to be more experienced
in server administration than Windows users.
• Many popular operating systems (Linux, *BSD) have
packages to make installing OpenSSL easier.
• We are studying the deployment of OpenSSL in servers
which are particularly vulnerable because they must be
open to the Internet at all times.
• The flaw allowed an attacker to take over the entire Web
server.

In spite of all these factors, our measurements show remarkably
slow deployment. One week after the flaw was
announced, only 23% of the servers under study had been
fixed. Two weeks after, less than 1/3 had been fixed. At the
time of release of the Slapper worm that exploited this vulnerability, almost 60% of servers were still vulnerable."

They go on to show that even after the worm ahd struck, final uptake of the patch leveled of with a projected asymptote at 68%. This means that 32% of al installations wil >never< get patched! This is extremely interesting stuff.

My own informal numbers seem to indicate around the same pattern for the MS RPC patch so far, so this to me seems to indicate the patching indifference problem is independant of OS or presumed expertise level.
All assumptions turn out to be unsubstantial:
Patch uptake for open Internet facing, even specific security focused software on Linux/BSD systems under threat of a full root compromise are no better than those for overall Windows installations.

Read the article at http://www.rtfm.com/upgrade.html . It offers far more than the few points I have room for here.

Just me (Sir to you)
Saturday, August 16, 2003

"One week after the flaw was
announced, only 23% of the servers under study had been
fixed. "

While it is true this is a shit poor install rate, do you think the rpc patch rate approached anywhere near 1/10th of 23%?

Mike
Saturday, August 16, 2003

Hard to compare. Apples to oranges. One would assume that the SSH bug affected more or less only servers (as home users smart enough to run Unix or Linux are almost assuredly using some kind of firewall, and not leaving SSH open to the world... but that's a big assumption on my part). The Windows bug, on the other hand, affects every Windows install ever (you don't choose to install RPC, it's always there), and I'm sure a MUCH larger %age of users are running full open on the 'net when they're running Windows.

Brad Wilson (dotnetguy.techieswithcats.com)
Saturday, August 16, 2003

My own very informal, very small scale (~750 instances) sampling shows an uptake of 32.5% around  the time of the worm.

Just me (Sir to you)
Monday, August 18, 2003

*  Recent Topics

*  Fog Creek Home