Re: AV/FW Adoption Sudies

[Valdis.Kletnieks () vt edu]

On Wed, 09 Jun 2004 18:45:55 EDT, Sean Donelan <sean () donelan com>  said:

> The numbers vary a little e.g. 38% or 42%, but the speed or severity or
> publicity doesn't change them much.  If it is six months before the
> exploit, about 40% will be patched (60% unpatched).  If it is 2 weeks,
> about 40% will be patched (60% unpatched).  Its a strange "invisible hand"
> effect, as the exploits show up sooner the people who were going to patch
> anyway patch sooner.  The ones that don't, still don't.

Remember that the black hats almost certainly had 0-days for the holes, and
before the patch comes out, the 0-day is 100% effective.   Once the patch comes
out and is widely deployed, the usefulness of the 0-day drops.

Most probably, 40% is a common value for "I might as well release this one and
get some recognition".  After that point, the residual value starts dropping
quickly.

Dave Aucsmith of Microsoft seems to think there's a flurry of activity to
reverse engineer the patch:

http://news.bbc.co.uk/1/hi/technology/3485972.stm

In fact, half of them are just sitting there and playing "chicken" - you wait
too long, and somebody else gets the recognition as "best reverse engineer" by
Aucsmith, but if you wait too little, you lose your 0-day while it still has
some effectiveness.

Somebody else can turn the crank on the game-theory machine and figure out what
the mathematically optimum release point is....

Attachment: _bin
Description: