Assistant professor at Boston College, Dr. Sam Ransbotham, have recently completed an empirical study of exploitation attempts of open source vulnerabilities. The study shows us that vulnerabilities in open source software is being exploited faster and with a higher spread than vulnerabilities in proprietary software.

This found of Dr. Ransbotham is interesting, but yet it raises more questions than it gives answers. Why are vulnerabilities in open source software more likely to be exploited, and what can be done about it?

To answer those questions, we need more information. We need to know what software, and what vulnerabilities that was observed in the study. We need to know how each exploitation spreads to find out if there are software packages within the open source pool that are at higher risk than the rest. I was in contact with Dr. Ransbotham by e-mail, but unfortunately he was not able to share information on the alerts he compiled his statistics from.

I also wonder when the exploits are counted? Are some of the exploits discovered and counted by signature file? In that case – are they counted a) after the signature file has been installed for a while and at once the malicious file is infecting the system, or b) at once the signature file is installed and after a unknown period of time the vulnerability has been exploited?

Yet another highly important factor are patch dates and the participating companies patching policies: What date was the patch available from vendor, and what date was it installed?

We know from earlier studies that patches for open source software is delivered faster than patches for proprietary software. From Dr. Ransbotham’s study we can read that less open source vulnerabilities are exploited, more open source vulnerabilities are patched, and yet more companies experience malicious attacks. Given this data is correct, can this open source disfavouring statistics be turned around by companies adopting patches faster?

Not much of a conclusion here, other than: Patch your systems.