Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Test shows how vulnerable unpatched Windows is

Symantec reveals how quickly unpatched Microsoft software is compromised.

Article comments

A test has revealed that a Linux server is far less likely to be compromised. In fact, unpatched Red Hat and SuSE servers were not breached at all during a six-week trial, while the equivalent Windows systems were compromised within hours.

An unpatched Windows 2000 Server was the quickest to be compromised, at an hour and 17 minutes, while unpatched Windows Server 2003 lasted slightly longer. Windows XP Professional, unpatched, lasted one hour and 12 seconds. Meanwhile, Unpatched Red Hat Enterprise Linux 3 and SuSE Linux 9 Desktop weren't compromised during the month and a half it was exposed to the Internet.

However, patching does make a difference. Patched versions of Windows fared far better, remaining untouched throughout the test, as did the Red Hat and Suse deployments.

The results of the test were confirmed by Symantec's other finding, Companies were at risk from unpatched software bugs for an average of 42 days per bug during the second half of last year, according to the company's latest semi-annual Internet Security Threat Report, released this week.

The report also found that the Firefox browser had fewer vulnerabilities than Microsoft Internet Explorer, due to a revision in the way Symantec counts bugs; and that unpatched versions of Windows last just over an hour on the Internet before being compromised, among other findings.

The report highlights the fact that even quick patching isn't enough to keep software secure, since exploit code began to circulate an average of 6.8 days after the disclosure of a vulnerability, while a vendor-supplied patch wasn't available until an average of 49 days after disclosure, Symantec said.

Symantec's figures deal with averages, and thus overlook the fact that vendors usually patch the most serious bugs more quickly than less dangerous flaws, minimising risk somewhat. Still, so-called "zero day" flaws are becoming more common, even in high-profile applications such as Internet Explorer. In August, for example, a researcher warned of an unpatched hole affecting IE 6 on a fully-patched Windows Server 2003 and Windows XP with Service Pack 2.

The report now features two different ways of counting browser bugs: one that finds that Internet Explorer has the most vulnerabilities, and a second that reveals Firefox as the bug leader.

Firefox had the highest number of vendor-confirmed vulnerabilities, with 13 bugs reported during the six months covered by the report, compared with Internet Explorer's 12, said Dave Cole, a director of Symantec Security Response.

However, the latest report also includes a count of bugs found by security researchers that have not been confirmed by Microsoft or the Mozilla Foundation, which owns Mozilla. By that count, Internet Explorer had the most security issues: 24, compared with Firefox's 17.

Symantec decided to begin counting the unconfirmed bugs "partially in response" to feedback from the Mozilla team after publishing its previous report in September 2005. That report counted only confirmed bugs, with 18 for Firefox and 13 for Internet Explorer. "We said, 'OK, for the next report we'll look at them both,'" Cole said. "It's something we might have looked at anyway."

Open-source projects tend to have more vendor-confirmed bugs because of the transparency of the bug-fixing process, according to Symantec.

The report found that attackers are increasingly targeting web applications and are tending to use more modular, easily updated code. The company documented 1,895 new software vulnerabilities, the highest number since 1998, of which 97 percent were moderately to highly severe and 79 percent were easy to exploit.


More from Techworld

More relevant IT news


Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *