Microsoft announced today that next week's Patch Tuesday will be the lightest of 2012, with six security bulletins and just one rated critical.
The critical patch will apply to all Windows customers as it addresses a vulnerability that affects the entire family of the operating system, up to and including Windows 7.
Four of the patches address vulnerabilities in Windows, including the critical patch for a remote code execution vulnerability and the moderate patch for a denial-of-service exploit. The remaining two patches, both rated important, target an elevation of privilege vulnerability in Visual Studio and a remote code execution in Expression Design, respectively.
With six patches this month, Microsoft's total for the year will reach 22, up from the 17 bulletins issued through March of 2011. The total for the month also exceeded that of last year, when Microsoft issued just three bulletins.
The year-over-year increase comes just one month after Microsoft was able to reduce its total number of bulletins issued in February from 12 in 2011 to nine this year. And while the year is still young, Microsoft is in danger of surpassing the 100 bulletins issued in all of 2011.
However, Lumension security and forensic analyst Paul Henry says those numbers are a poor representation of Microsoft's progress with security. Citing recent improvements, as well as the novelty that its Internet Explorer web browser went "at least somewhat spared" during the Pwn2Own conference at which Google Chrome took a beating, Henry says the main point to focus on is the decrease in severity of vulnerabilities.
"I think they're doing a better job. They've got the processes in place to better manage their software development in line with security," Henry says. "They really have put a great deal of effort into this, and if you look at the longer-term trend, I think they're really starting to bear some fruit from it."
Both the security community and IT support professionals will welcome an increase in total patches issued if it means the number of critical patches remains low, Henry says.
"Part of the reason for that is that Microsoft, having cleared a large number of critical issues, is now focusing a lot of its attention on moderate and important issues and is just trying to clean things up," Henry says. "So the number of bulletins won't actually go down, but the critical bulletins absolutely will."
Just 32 of the 100 patches Microsoft issued throughout 2011 were deemed critical, the lowest rate since the Patch Tuesday routine launched in 2004. So far this year, Microsoft has issued six critical vulnerabilities, putting it on pace to reduce that rate by 25 percent.