Microsoft patch rate surged in second half of 2008

More security updates, more flaws fixed in each update, company report says

Microsoft Corp. was forced to pick up the patching pace in the second half of 2008, the company admitted Wednesday, as it fixed 67% more flaws and released 17% more security updates in the period than it had in the first six months of the year.

Included in the bugs patched during the latter months of the year was the vulnerability exploited by Conficker, a worm that led to the biggest infection outbreak in years and a minor media frenzy last week.

Microsoft patched 97 different vulnerabilities in 42 separate security update in the second half of 2008, compared to 58 vulnerabilities in 36 updates in the first half.

Vinnie Gullotto, the general manager of the Microsoft Malware Protection Center, acknowledged the increase. "The number [of patched vulnerabilities] did go up, but a lot has to do with our methodology."

Microsoft's Security Intelligence Report explained it differently. "Although the total number of security bulletins in [the second half of 2008] was on par with the last several periods, there was a significant increase in the number of CVE identifiers addressed per security bulletin in [the second half of 2008]," the report stated. The average number of Common Vulnerability and Exposure (CVE) identifiers rose from an average of 1.6 per security bulletin in the first half of 2008 to 2.3 in the final six months.

In plain English, that means Microsoft packed more individual patches into the average security update.

During the second half of 2008, Microsoft issued several multi-patch updates, including MS08-052, a five-patch update for the GDI+ component of Windows; MS08-058, a six-patch update for Internet Explorer (IE); MS08-072, an eight-patch fix for Microsoft Word; and MS08-073, a four-patch update for IE.

Gullotto also argued that the number of bugs Microsoft quashed was less important than the number of exploits actually crafted for, and released into the wild against, those vulnerabilities.

"The number of exploits against those [bugs] stayed about the same as in the first half of the year," he said. The report did not include a complete tally of all exploits aimed at Microsoft software during the last six months of the year, though it included some data related to browser and document file format bugs.

Conficker, the most prolific worm in several years got its start last year when it began to exploit unpatched Windows machines just weeks after Microsoft issued one of its two emergency updates for the period. "Fortunately, Conficker was a rarity," said Gullotto, referring to the scarcity of worms that attack the operating system and self-propagate quickly through networks.

The other "out-of-band" update was released in mid-December to plug a critical hole in IE which had already been exploited by criminals.

Even as Gullotto admitted that Microsoft had to patch more bugs as 2008 proceeded, he defended the company's track record. "We're clearly seeing the results of the progress we've made in software development," he said, pointing out that the company's newer software is more secure than older code. According to data gathered from the Malicious Software Removal Tool (MSRT), the anti-malware utility Microsoft updates and redistributes each month to Windows machines, the real-world infection rate of PCs running Windows Vista Service Pack 1 (SP1) is 61% less than that of systems powered by Windows XP SP3.

"Older versions typically do have more vulnerabilities, that's true," he said, "but one of the good things is that we're being transparent about it, we're telling people about the vulnerabilities."

Micrsosoft's new security report, labeled as "Volume 6," is available for download as a PDF file from the company's Web site.

Join the PC World newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securityconfickermicrosoft patches

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?