‘Patching window’ is getting shorter and shorter, says ISS’ X-Force

LONDON – March 7, 2006 – Internet Security Systems (ISS) (NASDAQ: ISSX) has today published a report which shows that hackers and cyber criminals are developing malicious codes to exploit known vulnerabilities much faster than before. The X-Force Threat Insight Quarterly highlights that the number of vulnerabilities in 2005 has increased by over 33% over 2004.

Analysts from X-Force, the research and development team at ISS evaluated 4472 vulnerabilities in both hardware and software during 2005. From the public announcement of the vulnerability on the internet, the report highlights that 3.13% of threats discovered had malicious code that surfaced within 24 hours, whereas 9.38% had code that surfaced within 48 hours.

“We are seeing an increase in “zero-day exploits’ from hackers appearing at the same time the vulnerability is published,” said Gunter Ollman, Director of X-Force at Internet Security Systems. “This does not allow product developers the time to test and issue the necessary patches needed by the end-users and enterprise administrators. Therefore users without pro-active protection are quite often without protection against threats for several days or even weeks.”

Worryingly, 12.5% of the threats had code included in disclosure. This means that malicious code had been entered into the wild as soon as the vulnerability had been published.

This indicates that hackers are themselves actively looking for vulnerabilities and only publish once they have developed an exploit for them. This means the time frame between the publication of a vulnerability and the release of malicious exploit code, which is often referred to as the ‘patching window”, is getting shorter and shorter.

“It is anticipated that the period between vulnerability disclosure and public availability of exploit material will continue to shrink, particularly for those ‘high profile’ vulnerabilities lying in default network services associated with popular desktop operating systems,” added Ollman. “The rapid development of exploit code following public disclosure will inevitably lead to increasing infection rates of bot-worms and malware such as spyware and rootkit installer agents.”

In addition, 50% of vulnerabilities had either an exploit and/or proof-of-concept code surface within one week. A proof-of-concept is a first version of malicious code which hackers publish on the internet to show how certain vulnerabilities can be exploited. It is common for the proof-of-concept to circulate within a relatively small group of hackers to test and improve the code. The result is ultimately a so-called exploit: malicious software code that is made to be used by a big group of hackers to take advantage of the known vulnerability. Exploits are also often published in certain hacker newsgroups to ensure a faster and wider distribution.

The X-Force team develops a virtual patch, based on the vulnerabilities it discovers and evaluates, to ensure all ISS customers are immediately protected against known and unknown threats giving them time to install the official patch provided by the hardware or software developer.

The latest X-Force Threat IQ report can be downloaded at:

Additionally, X-Force security alerts and security advisories can be downloaded at:



For more information on pre-emptive security, visit

About X-Force

The X-Force, with over 100 researchers, is one of the largest R&D groups in the security market that is continuously looking for vulnerabilities in software, databases, operating and network systems. According to Frost & Sullivan, the X-Force uncovers more than 51% of the high risk vulnerabilities. When the X-Force discovers a vulnerability, the software manufacturer gets informed so that they can develop a patch. The moment the vulnerability is discovered, the ISS products get immediately updated with a so called “virtual patch” to ensure pro-active protection. Through this process all ISS customers are automatically protected when an exploit appears in the wild. For more information, please visit http://xforce.iss.net/

About Internet Security Systems, Inc.

Internet Security Systems, Inc. (ISS) is the trusted security advisor to thousands of the world’s leading businesses and governments, providing pre-emptive protection for networks, desktops and servers. An established leader in security since 1994, ISS’ integrated security platform automatically protects against both known and unknown threats, keeping networks up and running and shielding customers from online attacks before they impact business assets. ISS products and services are based on the proactive security intelligence of its X-Force® research and development team – the unequivocal world authority in vulnerability and threat research. ISS’ product line is also complemented by comprehensive Managed Security Services. For more information, visit the Internet Security Systems website at www.iss.net/uk or call ?(0)1753 845 100.

Don't miss