Microsoft patch rate surged in second half of 2008

More security updates, more flaws fixed in each update, company report says

Microsoft Corp. was forced to pick up the patching pace in the second half of 2008, the company admitted Wednesday, as it fixed 67% more flaws and released 17% more security updates in the period than it had in the first six months of the year.

Included in the bugs patched during the latter months of the year was the vulnerability exploited by Conficker, a worm that led to the biggest infection outbreak in years and a minor media frenzy last week.

Microsoft patched 97 different vulnerabilities in 42 separate security update in the second half of 2008, compared to 58 vulnerabilities in 36 updates in the first half.

Vinnie Gullotto, the general manager of the Microsoft Malware Protection Center, acknowledged the increase. "The number [of patched vulnerabilities] did go up, but a lot has to do with our methodology."

Microsoft's Security Intelligence Report explained it differently. "Although the total number of security bulletins in [the second half of 2008] was on par with the last several periods, there was a significant increase in the number of CVE identifiers addressed per security bulletin in [the second half of 2008]," the report stated. The average number of Common Vulnerability and Exposure (CVE) identifiers rose from an average of 1.6 per security bulletin in the first half of 2008 to 2.3 in the final six months.

In plain English, that means Microsoft packed more individual patches into the average security update.

During the second half of 2008, Microsoft issued several multi-patch updates, including MS08-052, a five-patch update for the GDI+ component of Windows; MS08-058, a six-patch update for Internet Explorer (IE); MS08-072, an eight-patch fix for Microsoft Word; and MS08-073, a four-patch update for IE.

Gullotto also argued that the number of bugs Microsoft quashed was less important than the number of exploits actually crafted for, and released into the wild against, those vulnerabilities.

"The number of exploits against those [bugs] stayed about the same as in the first half of the year," he said. The report did not include a complete tally of all exploits aimed at Microsoft software during the last six months of the year, though it included some data related to browser and document file format bugs.

Conficker, the most prolific worm in several years got its start last year when it began to exploit unpatched Windows machines just weeks after Microsoft issued one of its two emergency updates for the period. "Fortunately, Conficker was a rarity," said Gullotto, referring to the scarcity of worms that attack the operating system and self-propagate quickly through networks.

The other "out-of-band" update was released in mid-December to plug a critical hole in IE which had already been exploited by criminals.

Even as Gullotto admitted that Microsoft had to patch more bugs as 2008 proceeded, he defended the company's track record. "We're clearly seeing the results of the progress we've made in software development," he said, pointing out that the company's newer software is more secure than older code. According to data gathered from the Malicious Software Removal Tool (MSRT), the anti-malware utility Microsoft updates and redistributes each month to Windows machines, the real-world infection rate of PCs running Windows Vista Service Pack 1 (SP1) is 61% less than that of systems powered by Windows XP SP3.

"Older versions typically do have more vulnerabilities, that's true," he said, "but one of the good things is that we're being transparent about it, we're telling people about the vulnerabilities."

Micrsosoft's new security report, labeled as "Volume 6," is available for download as a PDF file from the company's Web site.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securityconfickermicrosoft patches

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?