I think it hits the nail on the head to observe that this study misses the fact that there are important and highly secure systems that are actively patched by active administrators and that the unpatched systems are largely "lesser" systems.
Certainly, I see many system administrators commenting on this topic that they are actively patching their system. Without finding and reporting security holes, these (presumably more valuable) systems could not protect themselves from exploits. That's why there's such an urgent opposition to the conclusion of this study, I think.
If one abandons the presumption in the report that all exploited systems are equal, one can potentially see the benefit of discovering and reporting security holes and allowing active system administrators to protect critical systems at the cost of compromising a greater number of "lesser" systems at homes and small offices with no active system administrator.
The goal of automatically distributing fixed or patched versions (as discussed here at length) may be really important in protecting these "lesser" systems or in making the work of system administrators simpler, but without the consensus, infrastructure or machanisms to do so, it still makes sense to allow administrators of critical systems to respond quickly to these threats.
Slashdot Mirror
I think it hits the nail on the head to observe that this study misses the fact that there are important and highly secure systems that are actively patched by active administrators and that the unpatched systems are largely "lesser" systems.
Certainly, I see many system administrators commenting on this topic that they are actively patching their system. Without finding and reporting security holes, these (presumably more valuable) systems could not protect themselves from exploits. That's why there's such an urgent opposition to the conclusion of this study, I think.
If one abandons the presumption in the report that all exploited systems are equal, one can potentially see the benefit of discovering and reporting security holes and allowing active system administrators to protect critical systems at the cost of compromising a greater number of "lesser" systems at homes and small offices with no active system administrator.
The goal of automatically distributing fixed or patched versions (as discussed here at length) may be really important in protecting these "lesser" systems or in making the work of system administrators simpler, but without the consensus, infrastructure or machanisms to do so, it still makes sense to allow administrators of critical systems to respond quickly to these threats.