Wireless Vulnerabilities Decreasing

The number of wireless security vulnerabilities in the real world is vanishingly small, research from Qualys has suggested.

That was the finding of latest annual Laws of Vulnerabilities report written by Qualys CTO Gerhard Eschelbeck.

Despite worries about wireless security, only one in 20,000 of the vulnerabilities uncovered by scans of the company’s customer base related to wireless systems. The figure can be considered significant because it was drawn from analysis of 32 million live networks scans and 21 million uncovered instances of vulnerabilities.

The research also showed that external network patching “half-life” has improved from last year’s figure of 21 days to this year’s 19 days. The half-life is defined at the time it takes company’s to patch at least 50 percent of their systems, thus reducing exposure to security threats.

Internal network patching has also come down from 62 days to 48 days during the same period. In total, 90 percent of such exposure is caused by only 10 percent of the critical holes.

On a less positive note, the time it takes for exploits to appear for vulnerabilities is also shrinking. Fully 80 percent of the most dangerous holes are exploited within the current half-life period. The overwhelming majority of automated attacks do their damage in the first 15 days.

“2005 has been the year of improvements for patching and updating vulnerable systems. This is heavily driven by the fact that vendors like Microsoft and others are now are issuing regular advisories with patch updates, which ends up speeding the prioritization and remediation efforts within organizations,” said Eschelbeck.

As with last year, Microsoft dominates the top ten critical vulnerabilities, both for internal and external networks. Not surprisingly given the company’s desktop dominance, the report detects a marked move towards security holes affecting clients rather than servers, with the former accounting for 60 percent of new vulnerabilities uncovered.

The number of wireless security vulnerabilities in the real world is vanishingly small, research from Qualys has suggested.

That was the finding of latest annual Laws of Vulnerabilities report written by Qualys CTO Gerhard Eschelbeck.

Despite worries about wireless security, only one in 20,000 of the vulnerabilities uncovered by scans of the company’s customer base related to wireless systems. The figure can be considered significant because it was drawn from analysis of 32 million live networks scans and 21 million uncovered instances of vulnerabilities.

The research also showed that external network patching “half-life” has improved from last year’s figure of 21 days to this year’s 19 days. The half-life is defined at the time it takes company’s to patch at least 50 percent of their systems, thus reducing exposure to security threats.

Internal network patching has also come down from 62 days to 48 days during the same period. In total, 90 percent of such exposure is caused by only 10 percent of the critical holes.

On a less positive note, the time it takes for exploits to appear for vulnerabilities is also shrinking. Fully 80 percent of the most dangerous holes are exploited within the current half-life period. The overwhelming majority of automated attacks do their damage in the first 15 days.

“2005 has been the year of improvements for patching and updating vulnerable systems. This is heavily driven by the fact that vendors like Microsoft and others are now are issuing regular advisories with patch updates, which ends up speeding the prioritization and remediation efforts within organizations,” said Eschelbeck.

As with last year, Microsoft dominates the top ten critical vulnerabilities, both for internal and external networks. Not surprisingly given the company’s desktop dominance, the report detects a marked move towards security holes affecting clients rather than servers, with the former accounting for 60 percent of new vulnerabilities uncovered.

By John E. Dunn, Techworld.com