Time to.. Track More Data

Posted by jericho Fri, 19 Feb 2010 06:06:00 GMT

Over the years, security practitioners have been interested in specific metrics related to vulnerability timelines. Certain dates, if present, can be used to extrapolate additional information related to the timeline and vulnerability handling.

Using Vendor Informed Date and Vendor Solution Date, we can extrapolate "time to patch". This is the amount of time between the vendor learning about a vulnerability, and providing a solution (i.e., patch, workaround, upgrade).

Using Exploit Publish Date and Vendor Solution Date, we can extrapolate "time of exposure". This is the amount of time between the publishing of exploit code and the vendor providing a solution. For these vulnerabilities, there is no doubt that an attacker could exploit the vulnerability and a target has no practical solution. While any vulnerability that has been disclosed may be exploited, lack of details may make it considerably difficult or raise the bar so that only dedicated attackers could use the information. This lack of information means the time of exposure is there, but the circumstances for exploitation are questionable.

In the past, eEye prominently displayed the vendor's time to patch on their advisories. eEye also began tracking "zero day threats" that also highlighted "days of exposure". The Zero Day Initiative (ZDI) tracks time to patch for upcoming advisories as well. Unfortunately for the industry, the time to patch information was tracked just for eEye and ZDI advisories.

OSVDB has made changes to better track both time to patch and time of exposure. First, the display of the related dates has been re-worked to present a more distinct timeline, with extrapolated times below it (e.g., http://osvdb.org/22582). Second, you can now quickly browse the worst offenders:

Time of Exposure - http://osvdb.org/browse/time_of_exposure

Time to Patch - http://osvdb.org/browse/time_to_patch

Know of any offenders that aren't on these lists? Feel free to mangle the entry and add missing dates, or simply contact us with a CVE identifier, OSVDB ID or information about the vulnerability.

Posted in ,  | no comments

Comments

Leave a response

RSS feed for this post

(leave url/email »)

   Comment Markup Help Preview comment