Microsoft patch rate surged in second half of 2008

Microsoft Corp. was forced to pick up the patching pace in the second half of 2008, the company admitted Wednesday, as it fixed 67% more flaws and released 17% more security updates in the period than it had in the first six months of the year.

Included in the bugs patched during the latter months of the year was the vulnerability exploited by Conficker, a worm that led to the biggest infection outbreak in years and a minor media frenzy last week.

Microsoft patched 97 different vulnerabilities in 42 separate security update in the second half of 2008, compared to 58 vulnerabilities in 36 updates in the first half.

Vinnie Gullotto, the general manager of the Microsoft Malware Protection Center, acknowledged the increase. "The number [of patched vulnerabilities] did go up, but a lot has to do with our methodology."

Microsoft's Security Intelligence Report explained it differently. "Although the total number of security bulletins in [the second half of 2008] was on par with the last several periods, there was a significant increase in the number of CVE identifiers addressed per security bulletin in [the second half of 2008]," the report stated. The average number of Common Vulnerability and Exposure (CVE) identifiers rose from an average of 1.6 per security bulletin in the first half of 2008 to 2.3 in the final six months.

In plain English, that means Microsoft packed more individual patches into the average security update.

During the second half of 2008, Microsoft issued several multi-patch updates, including MS08-052, a five-patch update for the GDI+ component of Windows; MS08-058, a six-patch update for Internet Explorer (IE); MS08-072, an eight-patch fix for Microsoft Word; and MS08-073, a four-patch update for IE.

Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine