While news is spreading quicker than ever about unpatched vulnerabilities and
zero-day attacks, organizations are not getting any better at installing emergency fixes, according to researchers at
the SANS institute.
The researchers cited figures gathered from vulnerability search engine Shodan in showing that there is not a significant relationship between patch release and system preparedness.
Ideally, the release of a patch would see a sharp decline in the number of vulnerable systems on Shodan searches as administrators install patches for a high-risk vulnerability. Rather, the report found a slow but steady decline in the number of systems that were vulnerable over time.
In other words, administrators are taking their time with installing patches, and known vulnerabilities are remaining unpatched even when a fix is available.
There is not an usually sharp decrease in vulnerable systems when a patch is released, explained SANS instructor and Nettles Consulting co-owner Jan Kopriva.
“Based on a quick visual analysis, it appears that (if we gloss over the sharp sudden decreases/increases that Shodan is prone to … and omit other Shodan-introduced artifacts, such as sharp increases in detections most likely associated with new detection analytics)” Kopriva noted.
“For most vulnerabilities, the number of affected systems decreases over time in more or less linear fashion, with a tendency to slowly level out.”
In short, the research found that the number of vulnerable systems tends to go down gradually over time, rather than immediately after a patch and disclosures are released. On the rare occasion that there are spikes where the number of vulnerable machines drops sharply, it is more likely due to a major vendor such as Microsoft dropping support for a platform than any sort of widespread patching effort.
“Although for some vulnerabilities, there were occasions when a sharper short-term decrease was visible in the number of vulnerable systems,” Kopriva explained.
“These were always explainable not by increased patching but by removal of systems that reached their ‘end of life’ from production environments.”
As Kopriva summed up, the findings show that “the answer to the question of ‘How quickly do we patch?’ is still ‘Not nearly quickly enough!’”
The report carries a particular weight this week given
the disclosure or an actively exploited zero-day flaw in Microsoft SharePoint. The vulnerability allows threat actors to gain remote code execution on internet-facing systems and is believed to be under active exploit in the wild. U.S. federal government agencies had a deadline to patch any and all vulnerable machines from the flaw by July 21 due to the risk of exploit by foreign threat actors.
