Microsoft patch rate surged in second half of 2008

More security updates, more flaws fixed in each update, company report says

Microsoft Corp. was forced to pick up the patching pace in the second half of 2008, the company admitted Wednesday, as it fixed 67% more flaws and released 17% more security updates in the period than it had in the first six months of the year.

Included in the bugs patched during the latter months of the year was the vulnerability exploited by Conficker, a worm that led to the biggest infection outbreak in years and a minor media frenzy last week.

Microsoft patched 97 different vulnerabilities in 42 separate security update in the second half of 2008, compared to 58 vulnerabilities in 36 updates in the first half.

Vinnie Gullotto, the general manager of the Microsoft Malware Protection Center, acknowledged the increase. "The number [of patched vulnerabilities] did go up, but a lot has to do with our methodology."

Microsoft's Security Intelligence Report explained it differently. "Although the total number of security bulletins in [the second half of 2008] was on par with the last several periods, there was a significant increase in the number of CVE identifiers addressed per security bulletin in [the second half of 2008]," the report stated. The average number of Common Vulnerability and Exposure (CVE) identifiers rose from an average of 1.6 per security bulletin in the first half of 2008 to 2.3 in the final six months.

In plain English, that means Microsoft packed more individual patches into the average security update.

During the second half of 2008, Microsoft issued several multi-patch updates, including MS08-052, a five-patch update for the GDI+ component of Windows; MS08-058, a six-patch update for Internet Explorer (IE); MS08-072, an eight-patch fix for Microsoft Word; and MS08-073, a four-patch update for IE.

Gullotto also argued that the number of bugs Microsoft quashed was less important than the number of exploits actually crafted for, and released into the wild against, those vulnerabilities.

"The number of exploits against those [bugs] stayed about the same as in the first half of the year," he said. The report did not include a complete tally of all exploits aimed at Microsoft software during the last six months of the year, though it included some data related to browser and document file format bugs.

Conficker, the most prolific worm in several years got its start last year when it began to exploit unpatched Windows machines just weeks after Microsoft issued one of its two emergency updates for the period. "Fortunately, Conficker was a rarity," said Gullotto, referring to the scarcity of worms that attack the operating system and self-propagate quickly through networks.

The other "out-of-band" update was released in mid-December to plug a critical hole in IE which had already been exploited by criminals.

Even as Gullotto admitted that Microsoft had to patch more bugs as 2008 proceeded, he defended the company's track record. "We're clearly seeing the results of the progress we've made in software development," he said, pointing out that the company's newer software is more secure than older code. According to data gathered from the Malicious Software Removal Tool (MSRT), the anti-malware utility Microsoft updates and redistributes each month to Windows machines, the real-world infection rate of PCs running Windows Vista Service Pack 1 (SP1) is 61% less than that of systems powered by Windows XP SP3.

"Older versions typically do have more vulnerabilities, that's true," he said, "but one of the good things is that we're being transparent about it, we're telling people about the vulnerabilities."

Micrsosoft's new security report, labeled as "Volume 6," is available for download as a PDF file from the company's Web site.

Join the PC World newsletter!

Error: Please check your email address.

Tags securityconfickermicrosoft patches

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?