This University of Maryland research on the impact of shared code on vulnerability patching is interesting on the surface but also asks a far more important question about our ability to patch vulnerable systems fast enough:

To understand security threats, and our ability to defend against them, an important question is Can we patch vulnerabilities faster than attackers can exploit them? (to quote Bruce Schneier). When asking this question, people usually think about creating patches for known vulnerabilities before exploits can be developed or discovering vulnerabilities before they can be targeted in zero-day attacks. However, another race may have an even bigger impact on security: once a patch is released, is must also be deployed on all the hosts running the vulnerable software before the vulnerability is exploited in the wild. There is some evidence that exploits are able to find sizable populations of vulnerable hosts: the Internet worms from 2001—2004 (e.g. Code Red, Slammer, Witty) propagated by exploiting known vulnerabilities, yet they were able to infect between 12K—359K hosts.

It turns out that it may not be that easy to patch vulnerabilities completely. Using WINE, we analyzed the patch deployment process for 1,593 vulnerabilities from 10 Windows client applications, on 8.4 million hosts worldwide [Oakland 2015]. We found that a host may be affected by multiple instances of the same vulnerability, because the vulnerable program is installed in several directories or because the vulnerability is in a shared library distributed with several applications. For example, CVE-2011-0611 affected both the Adobe Flash Player and Adobe Reader (Reader includes a library for playing .swf objects embedded in a PDF). Because updates for the two products were distributed using different channels, the vulnerable host population decreased at different rates, as illustrated in the figure on the left. For Reader patching started 9 days after disclosure (after patch for CVE-2011-0611 was bundled with another patch in a new Reader release), and the update reached 50% of the vulnerable hosts after 152 days. For Flash patching started earlier, 3 days after disclosure, but the patching rate soon dropped (a second patching wave, suggested by the inflection in the curve after 43 days, eventually subsided as well). Perhaps for this reason, CVE-2011-0611 was frequently targeted by exploits in 2011, using both the .swf and PDF vectors.

Just imagine what it is like in DoD, where there are upwards of six-million machines in need of being patched on a regular basis. This is one of the many reasons why DoD is so concerned about risk and why it is constantly looking for more inventive means of continuous monitoring than just HBSS.