System administrators are still not patching systems frequently enough, according to a recently published study of a software security flaw that allowed the Linux Slapper worm to spread. In fact, even after the Slapper worm highlighted the existence of a vulnerability in the Web security software known as OpenSSL, three out of 10 systems that had the flaw continue to be vulnerable even today, said Eric Rescorla, an independent security consultant.
"Administrators aren"t as responsive as they should be," he said. "Even after a relatively serious hole is found, administrators don"t do the right things."
Over the past three years, software makers have been forced by their customers to be more responsive to security vulnerabilities in their products. The U.S. government has gotten into the act as well, with Richard Clarke, presidential adviser on cybersecurity, making repeated calls for companies to shore up holes in the servers for which they are responsible.
However, system administrators--many of them overworked--haven"t taken the message to heart, according to Rescorla"s research. The research studied the response to the release of information in July relating to a flaw in OpenSSL, a commonly used open-source program to secure data going between Web servers and browsers using channels encrypted with the secure sockets layer (SSL).