To determine whether there is a significant number of pervasive vulnerabilities, we analyze vulnerability data from a variety of sources, including NVD [4], Securityfocus [6], and other independent sources. We focus on remotely exploitable vulnerabilities in the default installation of Windows XP Service Pack 2, between August 2004 (the Windows XP SP2 release date) and January 2007. We classify vulnerabilities based on whether they can be triggered through direct injection ("push" exploits) or through spoofing attacks as discussed in the previous section ("pull" exploits). Starting from basic information available through the NVD database, we verify the vulnerability information and derive further details such as exploit availability, exploitation technique, disclosure date, and patch dates primarily from Securityfocus archives but also other independent sources.
For all the qualifying vulnerabilities, we attempt to get a rough estimate of the vulnerability window: the amount of time the vulnerability was known and not patched in the majority of hosts. Unfortunately, publicly-available information does not always give us an accurate timeline of exploitation time vs. disclosure time, and we therefore have to make certain assumptions. In particular, we optimistically assume that by the time a vendor (in this case, Microsoft) releases an update, all hosts in the network are instantly updated and patched. In most (but not all) cases, the vulnerability is disclosed by the vendor only when the update is available. As such, it is not always possible to determine exactly when the vulnerability became known and to consider this as the start of the vulnerability window.
In lack of more accurate data, we assume that the vulnerability window starts two week before the update is issued, as Microsoft only posts updates every second Tuesday of each month. This is corroborated by Symantec which reported an average period of 13 days for the first half of 2006 between disclosure date of a vulnerability and the release date of an associated patch by Microsoft [53].
The results indicate significant exposure to vulnerabilities in the default configuration over the last two years, accounting for more than 50% of all days in the total period. Vulnerabilities of "push" type, i.e., that affect services and don't need user interaction, were active for 105 days (11.89%) while "pull" type, i.e., that need user-interaction of some-kind, were active for 428 days (48.47%). We believe this observation suggests a trend, in which server/services components seem to be relatively robust when compared to client components. This is especially alarming in the context of wifi worms, because they are particularly suited for exploiting such vulnerabilities, and their abundance may give them another evolutionary advantage over Internet worms. Overall, we have found that 60% of the listed vulnerabilities had public exploits available for 391 days (44.28%) during the time period.
Other analyses of vulnerability exposure for the years 2004-2006 published on the Internet paint an even dimmer picture for "pull" type attacks. For a total of 284 days (78%) in 2006, exploit code for known, unpatched critical flaws in pre-IE7 versions of the browser was publicly available on the Internet, and there were at least 98 days in which no software fixes from Microsoft were available to fix IE flaws that criminals were actively using to steal personal and financial data from users [39]. For at least 256 days (70%) in 2005, Internet Explorer contained unpatched vulnerabilities where the exploit method had been publicly disclosed but was not necessarily being used, and for at least 38 days in 2005, IE was vulnerable to unpatched critical security flaws that were being actively exploited [38]. A fully patched Internet Explorer installation was known to be unsafe for 98% of 2004, and for 200 days (54%) there was a worm or virus in the wild exploiting one of those unpatched vulnerabilities [11]. For Firefox, there were 56 days (15%) in 2004 where a publicly known remote-code execution had not yet been thwarted with a patch [11].