31 July 2003 A new Internet security study has concluded that even for the most serious flaws, half of the vulnerable Internet-connected systems remain unpatched a month after the flaw has been uncovered.
Furthermore, many old vulnerabilities do not die out completely, but often make a comeback after a period of time, according to Gerhard Eschelbeck, chief technology officer of security software supplier Qualys.
Eschelbeck was speaking this week at the Black Hat Briefings security conference in Las Vegas, Nevada.
Eschelbeck believes that the main reason why security flaws keep resurfacing is because of the installation and re-installation of old software, typically from CD-Roms that might be found lying around in the IT department.
When the software is installed and the server connected to the network or Internet, IT staff rarely take the time to find out if it needs patching.
Qualys specialises in vulnerability assessment software and services. The company’s study is the result of some 1.5 million scans done during the last 18 months.
However, it did find that many companies are prioritising security and patch management according to the perceived seriousness of flaws. While serious flaws would be dealt with almost immediately, they might take as much as two months to deal with less serious flaws.