Valdis.Kletnieks@vt.edu writes:
On Wed, 09 Jun 2004 18:45:55 EDT, Sean Donelan <sean@donelan.com> said:
The numbers vary a little e.g. 38% or 42%, but the speed or severity or publicity doesn't change them much. If it is six months before the exploit, about 40% will be patched (60% unpatched). If it is 2 weeks, about 40% will be patched (60% unpatched). Its a strange "invisible hand" effect, as the exploits show up sooner the people who were going to patch anyway patch sooner. The ones that don't, still don't.
Remember that the black hats almost certainly had 0-days for the holes, and before the patch comes out, the 0-day is 100% effective.
What makes you think that black hats already know about your average hole?
Once the patch comes out and is widely deployed, the usefulness of the 0-day drops.
Most probably, 40% is a common value for "I might as well release this one and get some recognition". After that point, the residual value starts dropping quickly.
I don't think this assessment is likely to be correct. If you look, for instance, at the patching curve on page 1 of "Security holes... Who cares?" (http://www.rtfm.com/upgrade.pdf) theres'a pretty clear flat spot from about 25 days (roughly 60% patch adoption) to 45 days (release of the Slapper worm). So, one that 2-3 week initial period has passed, the value of an exploit is roughly constant for a long period of time. -Ekr