Even though two out of every three machines are vulnerable to one or more critical vulnerabilities, enterprises are managing to patch faster than ever, a researcher said on the eve of his keynote speech at a security conference.

The "half-life" of vulnerabilities -- the amount of time it takes companies to patch half of their systems against a newly-disclosed bug -- continues to drop, said Gerhard Eschelbeck, the chief technology officer of Qualys and the creator of his self-titled “Laws of Vulnerabilities.” Eschelbeck based his research on statistical analysis of 21 million critical vulnerabilities, and 32 million network scans conducted over a three-year period.

"We've made significant progress in reducing the window of exposure," said Eschelbeck, noting that the half-life for a critical vulnerability on an externally-facing computer is now 19 days, down from 2004's 21. In 2003, the half-life of such systems was 30 days.

But not all machines get patched that quickly. "There is a large disparity between external and internal systems," said Eschelbeck. "Systems inside have a half-life of 48 days, compared to 19 for external systems. In large part, that's due to the perception, rightly deserved, that the risk on external machines is higher."

Even so, companies have made dramatic progress in patching internal computers, too; the half-life of these computers was cut by 23 percent in the last year, said Eschelbeck, down from 62 in 2004.

But the quickened patching pace has been more than matched by an almost three-fold speed increase on the part of exploits. "Automated attacks [now] create 85 percent of their damage within the first 15 days from the outbreak," said Eschelbeck. Last year, he reported that 80 percent of the damage was done in the first 42 days.

One way to compete with that boost in attack and damage speed is to press vendors to provide regularly-scheduled patches. According to Eschelbeck's data, patches released on a predefined schedule -- monthly or quarterly -- are deployed 18 percent faster than those for vulnerabilities whose fixes are released ad hoc. "There's been lots of discussion [in the security community] about what's the right thing to do for the end user, release patches regularly or as soon as they're ready," he said. "It seems a predictive schedule makes it easier to organize and plan and put together resources for patching, rather than scramble when a patch suddenly appears."

That finding should sit well with Microsoft, one of the first major developers to go to a regular release schedule.

Among his other conclusions, Eschelbeck downplayed concern over wireless security, saying that the problem is really overrated.

"People think that wireless is such a big exposure point for networks, and that's it's a real problem, but only 1 in 18,220 critical vulnerabilities is caused by a wireless access point."

Eschelbeck sees 2006 as another year of steady improvement. "We need to look at how to continue to improve half-life," he said. "By reducing it another 20 percent, we can make networks even more secure."

In addition, with an increasing number of critical vulnerabilities, enterprises need to look harder at prioritizing their patching. "Companies need to focus on the right vulnerabilities. The top 10 percent cause 90 percent of the damage."

Eschelbeck pointed to efforts to create a standardized vulnerability rating system. The Common Vulnerability Scoring System (CVSS), which was designed by several technology companies, including Cisco, eBay, Internet Security Systems, and Qualys, is the primary initiative.

"Scoring and prioritization are going to be more important in 2006. Companies have finite resources."

Eschelbeck will be presenting his data in a keynote at the Computer Security Institute (CIS) Conference Tuesday. The conference opened Monday in Washington, D.C.