The data -- released on Wednesday at the Black Hat Briefings security Conference -- also showed that some flaws don't completely die out over time but actually make a comeback. The vulnerabilities exploited by the Code Red and SQL Slammer worms, for example, are allowing those threats to reassert themselves on the Internet, said Gerhard Eschelbeck, chief technology officer for vulnerability-assessment company Qualys.
"There is something going on that is bringing vulnerabilities back to life," Eschelbeck said, adding that the main theory is that companies continue to install systems that include out-of-date software.
The study, which correlates nearly 1.5 million scans done by Qualys over a year and a half, underscores the need for customers to be more proactive about patching systems and for software makers to weed out vulnerabilities during development.
The more serious the vulnerability, the quicker the companies patched it, the study found. Companies took longer to fix flaws thought to be less serious -- as much as 60 days longer -- by which time, in 80 percent of the cases, security researchers and hackers had released programs to exploit the flaws.
The data seems to support assertions by the Organisation for Internet Safety that companies need time to fix flaws and patch vulnerable systems.
Security researchers also attacked software vendors' seeming inability to eradicate the most serious bugs from their applications, saying that was a key problem in dealing with server insecurities.
Mary Ann Davidson, chief security officer for database maker Oracle, said her company takes good software seriously, but that many other companies still haven't learned the lesson.
"If you (a software company) do the math and you are serious about your reputation, you have every incentive to treat your customers' systems as if they were yours," Davidson said.
Davidson said better quality could come about through government requirements that call for federal purchasers to go with certified software.
"If the government is serious about demanding secure software, then the industry is going to have to change and provide it," Davidson said.
Davidson added the private sector should take a similar tack.
Talkback
Having a good policy is merely a text book where everyone should read...the GREATEST issue is on ENFORCING the practice in each policy.
A large percentage of staff in any corporations belongs to the non-techie group where there's much fear or ignorance associated with what's installed for their own good. They rely heavily on the techno folks to 'threat' their pc. They are not keen to better understand how the installed tools are safeguarding their privacy and online safety. They always wanted to be regarded as pure, innocent users, but they love gadgets.
They love to classify knowledge first, before acquiring the geez of it. They believe that anything more than the GUI are meant for techies. They also believe that they can perform their work more efficiently but knowing less, thereby doing less.
So talking flaws and bugs, I think these lie greatly in the average user.