Discussion in 'other security issues & news' started by Hungry Man, Jun 9, 2012.
Interesting information, however of a theoretical rather than practical value... I ran a totally unpatched system for 3 years (some times ago) and I never got infected because of other security measures in place (including safe browsing, which can never be really quantified in a study).
You're part of a minority... It seems to me that the study has practical value and that, more than reasonable, is in fact conservative.
IT's not about whether you'll be infected or not it's a matter of whether or not you're vulnerable and to what extent.
A finger in the air weather check type estimate and then subsequent conclusion based on same.
I hear people say that all the time. How do you KNOW that you weren't compromised?
"Based on the figures above the average Windows desktop user would have been vulnerable to actively exploited 0-day vulnerabilities for at least 166 days, with any overlapping of vulnerability exposure being factored in."
As I said, this is the kind of conclusion that has no practical use. It is interesting as a theoretical experiment, but it doesn't really matter that you are vulnerable 166 days, 180 days or 3 days. All that it matters is that there is a window of risk (longer or shorter, that is not really important) when you are vulnerable to 0-day exploits. Because of this (and the study points this out correctly) you need other security measures than just patching your OS and your application. This is exactly the case I was talking about, when I talked about the experiment of having a computer unpatched for a long time, but with other security measures in place.
Again, to make myself clear, I wasn't contesting the results or the general conclusion, I was just pointing out that there is little practical use in knowing exactly how many days you are vulnerable in a year.
With a few name, date and percentage changes, that looks almost exactly like articles I've been seeing for years. Windows and the apps installed on it have been consistently vulnerable for as long as it's been connected to the internet. In spite of who knows how many gigabytes of updates, scheduled patch days, all kinds of updaters and update services, and the rapid release of new versions of apps, in the end it's the same story it's always been.
IMO it's hard to see how an OS can be used on 90% of desktops and not be consistently vulnerable. Say what you will about Windows' security shortcomings, omnipresence is a huge incentive for blackhats.
...at least I am consistently vulnerable.
Separate names with a comma.