If the vulnerability is announced in conjunction with the release of
a patch, the public wants to know how long the vendor knew about the vulnerability
before the patch was released. This is an important piece of information, as it lets users
know how long the vendor left them vulnerable to potential zero-day attacks. When vulnerabilities
are disclosed prior to vendor notification, users of the affected software
demand a rapid response from the vendor so that they can get their software patched
and become immune to potential attacks associated with the newly announced vulnerability.
As a result, vendor response time has become one of the factors that some use to
select which applications might best suit their needs. In some cases, vendors have
elected to regulate the frequency with which they release security updates. Microsoft, for
example, is well known for its ???Patch Tuesday??? process of releasing security updates on
the second Tuesday of each month. Unfortunately, astute attackers may choose to
announce vulnerabilities on the following day in an attempt to assure themselves of at
least a one-month response time. In response to perceived sluggishness on the part of
software vendors where patching vulnerabilities is concerned, there has been a recent
rise in the number of third-party security patches being made available following the
disclosure of vulnerabilities.
Pages:
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870