Microsoft patch rate surged in second half of 2008

More security updates, more flaws fixed in each update, company report says

Microsoft Corp. was forced to pick up the patching pace in the second half of 2008, the company admitted Wednesday, as it fixed 67% more flaws and released 17% more security updates in the period than it had in the first six months of the year.

Included in the bugs patched during the latter months of the year was the vulnerability exploited by Conficker, a worm that led to the biggest infection outbreak in years and a minor media frenzy last week.

Microsoft patched 97 different vulnerabilities in 42 separate security update in the second half of 2008, compared to 58 vulnerabilities in 36 updates in the first half.

Vinnie Gullotto, the general manager of the Microsoft Malware Protection Center, acknowledged the increase. "The number [of patched vulnerabilities] did go up, but a lot has to do with our methodology."

Microsoft's Security Intelligence Report explained it differently. "Although the total number of security bulletins in [the second half of 2008] was on par with the last several periods, there was a significant increase in the number of CVE identifiers addressed per security bulletin in [the second half of 2008]," the report stated. The average number of Common Vulnerability and Exposure (CVE) identifiers rose from an average of 1.6 per security bulletin in the first half of 2008 to 2.3 in the final six months.

In plain English, that means Microsoft packed more individual patches into the average security update.

During the second half of 2008, Microsoft issued several multi-patch updates, including MS08-052, a five-patch update for the GDI+ component of Windows; MS08-058, a six-patch update for Internet Explorer (IE); MS08-072, an eight-patch fix for Microsoft Word; and MS08-073, a four-patch update for IE.

Gullotto also argued that the number of bugs Microsoft quashed was less important than the number of exploits actually crafted for, and released into the wild against, those vulnerabilities.

"The number of exploits against those [bugs] stayed about the same as in the first half of the year," he said. The report did not include a complete tally of all exploits aimed at Microsoft software during the last six months of the year, though it included some data related to browser and document file format bugs.

Conficker, the most prolific worm in several years got its start last year when it began to exploit unpatched Windows machines just weeks after Microsoft issued one of its two emergency updates for the period. "Fortunately, Conficker was a rarity," said Gullotto, referring to the scarcity of worms that attack the operating system and self-propagate quickly through networks.

The other "out-of-band" update was released in mid-December to plug a critical hole in IE which had already been exploited by criminals.

Even as Gullotto admitted that Microsoft had to patch more bugs as 2008 proceeded, he defended the company's track record. "We're clearly seeing the results of the progress we've made in software development," he said, pointing out that the company's newer software is more secure than older code. According to data gathered from the Malicious Software Removal Tool (MSRT), the anti-malware utility Microsoft updates and redistributes each month to Windows machines, the real-world infection rate of PCs running Windows Vista Service Pack 1 (SP1) is 61% less than that of systems powered by Windows XP SP3.

"Older versions typically do have more vulnerabilities, that's true," he said, "but one of the good things is that we're being transparent about it, we're telling people about the vulnerabilities."

Micrsosoft's new security report, labeled as "Volume 6," is available for download as a PDF file from the company's Web site.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags microsoft patchesconficker

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?