[EMAIL PROTECTED] writes: > On Wed, 09 Jun 2004 18:45:55 EDT, Sean Donelan <[EMAIL PROTECTED]> said: > >> The numbers vary a little e.g. 38% or 42%, but the speed or severity or >> publicity doesn't change them much. If it is six months before the >> exploit, about 40% will be patched (60% unpatched). If it is 2 weeks, >> about 40% will be patched (60% unpatched). Its a strange "invisible hand" >> effect, as the exploits show up sooner the people who were going to patch >> anyway patch sooner. The ones that don't, still don't. > > Remember that the black hats almost certainly had 0-days for the > holes, and before the patch comes out, the 0-day is 100% effective.
What makes you think that black hats already know about your average hole? > Once the patch comes out and is widely deployed, the usefulness of > the 0-day drops. > > Most probably, 40% is a common value for "I might as well release > this one and get some recognition". After that point, the residual > value starts dropping quickly. I don't think this assessment is likely to be correct. If you look, for instance, at the patching curve on page 1 of "Security holes... Who cares?" (http://www.rtfm.com/upgrade.pdf) theres'a pretty clear flat spot from about 25 days (roughly 60% patch adoption) to 45 days (release of the Slapper worm). So, one that 2-3 week initial period has passed, the value of an exploit is roughly constant for a long period of time. -Ekr