My prior post showed my research from earlier in the year at the 2016 Linux Security Summit on kernel security flaw lifetimes. Now that CVE-2016-5195 is public, here are updated graphs and statistics. Due to their rarity, the Critical bug average has now jumped from 3.3 years to 5.2 years. There aren’t many, but, as I mentioned, they still exist, whether you know about them or not. CVE-2016-5195 was sitting on everyone’s machine when I gave my LSS talk, and there are still other flaws on all our Linux machines right now. (And, I should note, this problem is not unique to Linux.) Dealing with knowing that there are always going to be bugs present requires proactive kernel self-protection (to minimize the effects of possible flaws) and vendors dedicated to updating their devices regularly and quickly (to keep the exposure window minimized once a flaw is widely known).
So, here are the graphs updated for the 668 CVEs known today:
- Critical: 3 @ 5.2 years average
- High: 44 @ 6.2 years average
- Medium: 404 @ 5.3 years average
- Low: 216 @ 5.5 years average
© 2016, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
Many Thx for these stats and your work. There is one thing that looks odd to me: You first write “[…], the Critical bug average has now jumped […] to 6.2 years.[…]” and then a few lines below “Critical: 3 @ 5.2 years average”. Either I’m missing something or there is a off-by-one error in one of those numbers.
Comment by Thorsten Leemhuis — October 20, 2016 @ 10:58 pm
Oops, typo. Fixed now, thanks!
Comment by kees — October 20, 2016 @ 11:25 pm
Good stuff. Totally underscores the need to have as an key infrastructure principle the ability to do reboots or redeploys programatically.
Comment by Esteban — October 21, 2016 @ 10:55 am