But the initial version of the report released Monday contained errors, and a corrected version released today no longer claims that the total number of vulnerabilities allowing remote code execution is dropping.
The first version of the report said "vulnerabilities that could lead to remote code execution have dropped significantly in percentage terms and in raw numbers." However, after Network World pointed out inconsistencies between numbers in the text and an accompanying chart, Microsoft released an updated version that says remote code execution vulnerabilities "have dropped in percentage terms" only.
In fiscal 2011, 62.8% of vulnerabilities allowed remote code execution, down from 70.8% in 2010 and 74.1% in 2008, according to the Microsoft Security Response Center's third annual progress report.
Microsoft released 117 security bulletins covering 283 vulnerabilities in the 12-month period ending June 2011, a higher total than in any of the previous five years covered in the report. Microsoft releases a series of patches covering numerous products on Patch Tuesday, the second Tuesday of each month.
In fiscal 2010, there were 88 security bulletins covering 211 vulnerabilities in Microsoft products. Based on the percentages given by Microsoft, about 149 of those vulnerabilities allowed remote code execution. In 2011, that number jumped to about 178, so there were 29 additional vulnerabilities allowing remote code execution in the most recent 12-month period.
These are estimates because a Microsoft representative declined to specify exactly how many remote code execution vulnerabilities have been found each year, and also would not provide statistics on other types of vulnerabilities.
"Traditionally [Microsoft] doesn't share the actual number of remote code executions or what types of vulnerabilities increased or decreased," the representative wrote in an email.
On the bright side, Microsoft's report says vulnerability statistics show newer versions of its software are less vulnerable than older ones, which is no surprise. About 38% of vulnerabilities were "less serious or nonexistent on the latest version of the affected application than on earlier versions." Only 3% of vulnerabilities "affected the most recent version but not older versions."
But IT pros at Microsoft shops are still burdened with increasing numbers of patches to deploy. By deploying only the most serious patches and using only the current versions of Windows client and server software, customers could have reduced the number of patches from 117 to 24 in the most recent 12-month period.
Still, "Microsoft recommends that customers install all applicable security updates," so skipping less serious fixes isn't advised. "Exploitation techniques change over time, and newly developed techniques can make it easier for an attacker to exploit vulnerabilities that had previously been more difficult to successfully exploit," Microsoft said.