Looking back at a year of Microsoft patches
Last year Microsoft’s Patch Tuesdays featured a total of 83 bulletins, which is a decline from previous years. Since their security efforts impact countless security professionals, we wanted to see what IT security leaders, and Microsoft, think about the patches released in 2012.
Here are some of the comments received by Help Net Security.
Amol Sarwate, Director of Qualys Vulnerability Labs
“In 2012, not only did the number of security bulletins released by Microsoft decreased by 17%, but the total number of vulnerabilities included in those bulletins decreased by 10%. This is a good trend as organizations have a lower number of patches to deploy. Another key factor was the number of zero-day vulnerabilities which decreased by 29% in 2012. These are vulnerabilities that were publicly disclosed before Microsoft could release a patch. Even better, the number of vulnerabilities that were actively exploited by attackers before availability of its patch decreased from 7 in 2011 to 5 in 2012.
On the flip side, there were vulnerabilities discovered in brand new products like Windows RT, Windows 8, as well as the latest versions of Microsoft Office and Internet Explorer. This has been a trend with all vendors and although newer products are getting more secure we believe that attackers and security researchers will continue finding security flaws is newer products. Although the total number of important Microsoft bulletins decreased by 26% in 2012 the number of Critical bulletins did not decrease and remained virtually unchanged.
In conclusion, over the years Microsoft has greatly improved their security program and incidence response capabilities and in my view had the most mature security process in the industry for 2012.”
Dustin Childs, Group Manager, Microsoft Trustworthy Computing
“We realize that security is an ongoing effort and we are constantly striving to protect our customers. Through the monthly bulletin release cadence and collaboration with industry partners, we have been able to continually evaluate and improve the security of our products. We encourage customers to enable automatic updates and be vigilant in deployment to ensure that they are protected from new and emerging threats.”
HD Moore, CSO of Rapid7 and Chief Architect of Metasploit
“Microsoft’s patch load in 2012 definitely felt lighter than previous years and not just due to consolidation within bulletins. It seems like the market for Windows vulnerabilities has burned up most of the easy to find bugs and the folks who would normally report the big ones are keeping them private.
As we saw in 2012, many of the common software vulnerabilities that have historically affected Windows are becoming incredibly difficult to exploit due to operating system level mitigations. The additional improvements in Windows 8 and the sky-high market for zero day may reduce the public visibility of security flaws to an all-time low.
Microsoft still has work to do, but relative to other large software vendors, their ability to respond to security issues this year has improved.”
Chaitanya Sharma, Advisory Team Lead, Secunia
“In 2012, Microsoft released 83 security bulletins covering various products. Some of the most interesting fixes covered in the bulletins were fixes for 0-day vulnerabilities discovered in the Windows Common Control Library ActiveX Control (MSCOMCTL.ocx) and a remote code execution vulnerability in Remote Desktop Protocol. The MSCOMCTL vulnerabilities were interesting due to the sheer number of products the control is bundled with e.g. Office, SQL Server, Commerce Server, and Visual FoxPro.
It is interesting to see that the number of bulletins issued by Microsoft in 2012 (83) is significantly lower than the number of bulletins issued in 2011 (100) and in 2010 (106). This year we also noticed a decline in the number of “Highly Critical” vulnerabilities, or vulnerabilities which would result into remote code execution.
This also points to the fact that Microsoft’s Security Development Lifecycle (SDL) initiative is helping them reduce the number of vulnerabilities found in their products.”
Gunter Ollmann, CTO, IOActive
“Microsoft’s Patch Tuesdays no longer get the fanfare they used to – and that’s great news! I believe that the process is so ingrained with IT admins and security teams that it’s an easily managed operational chore nowadays – not much worse than scheduling server backups. There were no notable hiccups to the process in 2012 – and that’s something even the antivirus companies can’t match.
If there was to be a complaint, it would be that Microsoft hasn’t been able to take charge of all the other vendor’s patching processes and schedules, and shoehorn them in to theirs. How great it would be if we could get Adobe, Oracle, Dell, etc. to deliver their security updates the same way at the same time. Now that would make a great year!”
Wolfgang Kandek, CTO, Qualys
“In 2012 Microsoft’s process for Patch Tuesday improved and became more mature. In July, Microsoft migrated their release cycle for Internet Explorer from a 2 month to a 1 month period by streamlining its development and QA processes.
Internet Explorer patches now get to end-users quicker, which enhances security. Another important point is the more regular release rhythm that Microsoft set this year. We see this as another indication of a more mature process. Compared to the two years before, IT administrators have a much smoother release load, and that predictability is a positive influence.
Digital certificate security is a third point that had positive developments this year. A review triggered by malware abuse of signing certificates led to a number of improvements in Microsoft’s certificate infrastructure and the security of the software update process itself.”
Ross Barrett, Senior Manager, Security Engineering, Rapid7
“If advisories are an inverse reflection of security then we could say that Microsoft products are getting more secure, since the number of patches was down to 83, which is about 20% less than recent peak years of 2011/2010. This is keeping pace with the industry, where the total number of discovered and patched vulnerabilities was also down. I would attribute this to a number of factors, including enhanced security programs from vendors actually leading to more secure products.
During the year, Internet Explorer continued to be a prime target and received eight critical updates, including a few out-of-band patches. We started 2012 with a lingering vulnerability patch from December 29, 2011 and saw another one in September. Additionally, as we closed out the year, we heard rumors of an extra out-of-band patch in the offing.
On a positive note, the vast majority of these vulnerabilities were responsibly disclosed, which meant proactive security teams had the time to react before active exploitation became widespread.”