Firms patching internet security holes faster

Driven by the rapid onslaught of new security threats, network administrators are fixing the most prevalent flaws more quickly, according to a new survey.

The survey, released by vulnerability assessment firm Qualys at the Black Hat Security Briefings in Las Vegas, found the average half life of a vulnerability - the length of time it takes for half of assailable computers to be fixed - fell to 21 days in 2004 from 30 days in 2003.

However, the report found improvements only with systems connected directly to the internet. Administrators took longer to patch computers located within a local area network, believing they were safe.

Companies typically patched flaws in internal systems within 62 days in 2004; Qualys did not measure the time it took to patch internally in 2003.

"If you look at the challenge that companies have internally, it is a factor of 10 more complicated," said Gerhard Eschelbeck, CTO at Qualys.

The numbers are the best-case scenario for how quickly companies patch their systems. Qualys only collects anonymous data from its clients. The average company connected to the internet is likely to patch flaws much slower, Qualys said.

The slow rate at which companies update their systems has caused software makers, such as Microsoft, to look for better ways to secure customers that have not patched. Those companies need to start fixing their systems, Eschelbeck said.

"Knowing where your problems are is the first step, and then figuring out how critical each problem is the next," he said.

Moreover, if the average time companies stay connected to the internet shrinks, the window of time that worm writers can exploit vulnerabilities to spread their programs is lowered as well.

"We will see those worms hitting in the first two half lives," he said. "So the first two half lives are the most important times, because they act as a breeding ground."

Robert Lemos writes for CNET News.com