It is true, looking a sheer numbers, that most exploits occur after the patch is available. See, for example, Arbaugh et al
http://www.cs.umd.edu/~waa/pubs/Windows_of_Vulne ra bility.pdf
There are many reasons not to patch immediately (why should you Beta test the patch rushed out by the same guys who messed up in the first place? How much did they test? Did they test it on a system and configuration similar to yours? Can you afford the (potential) down time? Can you convince the PHB that it is more important than whatever else you have to do?)
You cannot just look at the raw numbers of exploits, which occur after a script becomes readily available (and one has to admit that a patch can be a very good recipe for scripting an exploit). What does not show up when looking at the raw numbers are the exploits that get in, do what they want to do, and then get out w/out saying "hey, look at me" (i.e. by participating in a DDOS attack). How much (unreported) fraud is associated with those first attacks?
Slashdot Mirror
They have the internet on computers now?
It is true, looking a sheer numbers, that most exploits occur after the patch is available. See, for example, Arbaugh et al
e ra bility.pdf
http://www.cs.umd.edu/~waa/pubs/Windows_of_Vuln
There are many reasons not to patch immediately (why should you Beta test the patch rushed out by the same guys who messed up in the first place? How much did they test? Did they test it on a system and configuration similar to yours? Can you afford the (potential) down time? Can you convince the PHB that it is more important than whatever else you have to do?)
You cannot just look at the raw numbers of exploits, which occur after a script becomes readily available (and one has to admit that a patch can be a very good recipe for scripting an exploit). What does not show up when looking at the raw numbers are the exploits that get in, do what they want to do, and then get out w/out saying "hey, look at me" (i.e. by participating in a DDOS attack). How much (unreported) fraud is associated with those first attacks?
The licensing fees do add up..