Re: AV/FW Adoption Sudies

[Eric Rescorla <ekr () rtfm com>]

Valdis.Kletnieks () vt edu writes:
> On Wed, 09 Jun 2004 18:45:55 EDT, Sean Donelan <sean () donelan com>  said:
>
> > The numbers vary a little e.g. 38% or 42%, but the speed or severity or
> > publicity doesn't change them much.  If it is six months before the
> > exploit, about 40% will be patched (60% unpatched).  If it is 2 weeks,
> > about 40% will be patched (60% unpatched).  Its a strange "invisible hand"
> > effect, as the exploits show up sooner the people who were going to patch
> > anyway patch sooner.  The ones that don't, still don't.
>
> Remember that the black hats almost certainly had 0-days for the
> holes, and before the patch comes out, the 0-day is 100% effective.

What makes you think that black hats already know about your
average hole?


> Once the patch comes out and is widely deployed, the usefulness of
> the 0-day drops.
>
> Most probably, 40% is a common value for "I might as well release
> this one and get some recognition".  After that point, the residual
> value starts dropping quickly.

I don't think this assessment is likely to be correct. If you look, for
instance, at the patching curve on page 1 of "Security holes... Who
cares?" (http://www.rtfm.com/upgrade.pdf) theres'a pretty clear flat
spot from about 25 days (roughly 60% patch adoption) to 45 days
(release of the Slapper worm). So, one that 2-3 week initial
period has passed, the value of an exploit is roughly constant
for a long period of time.

-Ekr