Do you have a question? Post it now! No Registration Necessary. Now with pictures!
December 24, 2004, 11:11 pm
rate this thread
Holiday season greetings.
I am a PhD student at Princeton studying security. I am
interested in studying vulnerability statistics. I am interested in
answering questions like:
1. Which are the programs where bugs are found often?
2. Which vendors tend to be frequently affected?
3. What are the common vulnerabilities (buffer overflows I guess)?
4. How often are patches available before a vulnerability is publicly
5. How much time does it take for a typical vendor to patch the bug?
diligent are various vendors regarding releasing patches?
6. What are the OS specific statistics?
7. How diligent are users/administrators regarding patching? In some
there might be genuine reasons why you cannot patch (loss of
etc.). I am aware of "Security holes... Who cares?" by Eric Rescorla.
8. Have there been situations when a patch has not been available for a
long time, say more than a month.
I am primarily interested in seeing how fast the patches are out. I am
more interested in knowing about those situations when a patch is not
available fast. What did people do to avoid getting hit? I would
appreciate some concrete examples. So I am mostly interested in
4, 5, and 8.
Has someone already studied these patterns? Can the community refer me
some useful links? I would appreciate concrete examples and a
quantitative analysis. I have talked to a few system administrators.
But I am confused whether patch availability is indeed a problem.
Unfortunately, the answer is specific to what software you are running
the answer tends to be subjective.
Thanks in advance,
- » SSRT4867 rev.1 Netscape Directory Server on HP-UX LDAP remote buffer overflow
- — Previous thread in » General Computer Security