[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Any study on patch availability?

To: sudhakar+fulldisclosure@xxxxxxxxxxxxxxxx
Subject: Re: [Full-Disclosure] Any study on patch availability?
From: dila <dilabox@xxxxxxxxx>
Date: Fri, 7 Jan 2005 08:25:50 +0000

http://secunia.com/advisory_statistics/

ever heard of google?


On Sun, 26 Dec 2004 12:26:17 -0500 (EST),
sudhakar+fulldisclosure@xxxxxxxxxxxxxxxx
<sudhakar+fulldisclosure@xxxxxxxxxxxxxxxx> wrote:
> 
> Hi all,
> 
> Holiday season greetings.
> 
> I am a PhD student at Princeton studying security. I am interested in
> studying vulnerability statistics. I am interested in answering questions
> like:
> 
> 1. Which are the programs where bugs are found often?
> 
> 2. Which vendors tend to be frequently affected?
> 
> 3. What are the common vulnerabilities (buffer overflows I guess)?
> 
> 4. How often are patches available before a vulnerability is publicly
> disclosed?
> 
> 5. How much time does it take for a typical vendor to patch the bug?
> How
> diligent are various vendors regarding releasing patches?
> 
> 6. What are the OS specific statistics?
> 
> 7. How diligent are users/administrators regarding patching? In some cases
> there might be genuine reasons why you cannot patch (loss of availability
> etc.). I am aware of "Security holes... Who cares?" by Eric Rescorla.
> 
> 8. Have there been situations when a patch has not been available for a
> long time, say more than a month.
> 
> .
> .
> .
> .
> .
> 
> I am primarily interested in seeing how fast the patches are out. I am
> more interested in knowing about those situations when a patch is not
> available fast. What did people do to avoid getting hit? I would
> appreciate some concrete examples. So I am mostly interested in questions
> 4, 5, and 8.
> 
> Has someone already studied these patterns? Can the community refer me to
> some useful links? I would appreciate concrete examples and a quantitative
> analysis. I have talked to a few system administrators. But I am confused
> whether patch availability is indeed a problem. Unfortunately, the answer
> is specific to what software you are running and the answer tends to be
> subjective.
> 
> Thanks in advance,
> Regards,
> Sudhakar.
> 
> Sudhakar Govindavajhala                   Department of Computer Science
> Graduate Student,                         Princeton University
> Ph : (lab) +1 609 258 1763                   (office) +1 609 258 1798
>                http://www.cs.princeton.edu/~sudhakar
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] Any study on patch availability?
  - From: sudhakar+fulldisclosure

Prev by Date: RE: [Full-Disclosure] WinHKI - ARC File Extraction of 1KB to 1.56GB
Next by Date: [Full-Disclosure] [iSEC] [Dailydave] Advisory 1/2005 - Linux Kernel arbitrary code execution (fwd)
Previous by thread: [Full-Disclosure] Any study on patch availability?
Next by thread: [Full-Disclosure] Re: Again: zone transfers, a spammer's dream?
Index(es):
- Date
- Thread