Companies are hardly patching vulnerabilities any more quickly than they were five years ago, according to a new study.
Some 680 million vulnerabilities were found in 2008, with 72 million constituting critical ones, said Wolfgang Kandek, chief technology officer at Qualys, the security supplier that conducted the research. This meant the software problem could allow a hacker to take control of a computer remotely and install malicious software.
The figures have barely changed since Qualys released its last study in 2004. Then, it took an average of 30 days to hit the half-patched mark. For 2008, that figure has only marginally improved to 29.5 days, Kandek said.
The latest data was collected throughout 2008, after Qualys scanned 80 million IP addresses using 200 scanners that looked at Internet-facing PCs and 5,000 internal scanners behind firewalls on company intranets.
Qualys has created its own measurement, called "half life", for how quickly companies patch. The measurement is the number of days it takes a companies in a certain industry to patch half of the vulnerabilities that have been publicly released.
"The patch cycle hasn't really accelerated," Kandek said during the InfoSecurity conference in London.