Microsoft was forced to pick up the patching pace in the second half of 2008, the company admitted today, as it fixed 67% more flaws and released 17% more security updates in the period than it had in the first six months of the year.
Included in the bugs patched during the latter months of the year was the vulnerability exploited by Conficker, a worm that led to the biggest infection outbreak in years and a minor media frenzy last week.
Microsoft patched 97 different vulnerabilities in 42 separate security update in the second half of 2008, compared to 58 vulnerabilities in 36 updates in the first half.
Vinnie Gullotto, the general manager of the Microsoft Malware Protection Center, acknowledged the increase. "The number [of patched vulnerabilities] did go up, but a lot has to do with our methodology."
Microsoft's Security Intelligence Report explained it differently. "Although the total number of security bulletins in [the second half of 2008] was on par with the last several periods, there was a significant increase in the number of CVE identifiers addressed per security bulletin in [the second half of 2008]," the report stated. The average number of Common Vulnerability and Exposure (CVE) identifiers rose from an average of 1.6 per security bulletin in the first half of 2008 to 2.3 in the final six months.
In plain English, that means Microsoft packed more individual patches into the average security update.
During the second half of 2008, Microsoft issued several multi-patch updates, including MS08-052, a five-patch update for the GDI+ component of Windows; MS08-058, a six-patch update for Internet Explorer (IE); MS08-072, an eight-patch fix for Microsoft Word; and MS08-073, a four-patch update for IE.
Gullotto also argued that the number of bugs Microsoft quashed was less important than the number of exploits actually crafted for, and released into the wild against, those vulnerabilities.
"The number of exploits against those [bugs] stayed about the same as in the first half of the year," he said. The report did not include a complete tally of all exploits aimed at Microsoft software during the last six months of the year, though it included some data related to browser and document file format bugs.
Conficker, the most prolific worm in several years got its start last year when it began to exploit unpatched Windows machines just weeks after Microsoft issued one of its two emergency updates for the period. "Fortunately, Conficker was a rarity," said Gullotto, referring to the scarcity of worms that attack the operating system and self-propagate quickly through networks.
The other "out-of-band" update was released in mid-December to plug a critical hole in IE which had already been exploited by criminals.
Even as Gullotto admitted that Microsoft had to patch more bugs as 2008 proceeded, he defended the company's track record. "We're clearly seeing the results of the progress we've made in software development," he said, pointing out that the company's newer software is more secure than older code. According to data gathered from the Malicious Software Removal Tool (MSRT), the anti-malware utility Microsoft updates and redistributes each month to Windows machines, the real-world infection rate of PCs running Windows Vista Service Pack 1 (SP1) is 61% less than that of systems powered by Windows XP SP3.
"Older versions typically do have more vulnerabilities, that's true," he said, "but one of the good things is that we're being transparent about it, we're telling people about the vulnerabilities."
Microsoft's new security report, labelled as "Volume 6," is available for download as a PDF file from the company's website.