Microsoft Patch Analysis
nCircle, the leader in information risk and security performance management, recently completed an analysis of Microsoft patch trends to provide insight into 2013 trends.
"In 2010, Microsoft released over 106 bulletins and 269 CVEs. In 2011 and 2012 we saw a dramatic decrease in patch volume and CVE volume. It's pretty clear that Microsoft's secure software development efforts are paying off. Over the last 24 months or so, the Microsoft patch volume has become fairly predictable, a huge change from the dramatic volume swings we used to see in 2010 and the first part of 2011. Barring unforeseen changes, 2013 patch volume should look a lot like 2012, which is helpful for IT resource plans."
"Historically, Microsoft patched Internet Explorer just six times a year. The every other month cadence was due to Microsoft’s stringent quality assurance requirements for IE updates. Early in 2012, Microsoft announced they had increased the test resources for Internet Explorer updates and were able to release an IE update every month. Microsoft patched IE 8 times last year, and I'm sure we'll see more IE patches in 2013. In fact, I wouldn't be surprised to see an IE patch every month this year. Monthly IE updates would be a good thing in my book because browsers are a huge target for attackersattackers. Microsoft's commitment to a faster patch cadence could also be viewed as a necessary market response. They're playing a little bit of a catch up since Google patches Chrome very quickly and very often.
Out-of-band emergency patches are a huge resource drain that can dramatically impact IT productivity, but the trend here is very encouraging. Microsoft only released one out-of-band patch in 2011 and one in 2012.
It would be great to have a year with no zero-day bugs critical enough to require an out-of-band patch but, given the size and complexity of Microsoft's software, that's probably not going to happen anytime soon. While lots of out-of-band patches are a sign of poor security software development practices, it's still good to know that Microsoft can respond quickly when an out-of-band patch is required."
"Microsoft's use of critical rating for bugs can sometimes feel subjective– it's not unusual for researchers to disagree with the priority rating of specific patches. For example, Microsoft is known to lower the priority and criticality on any bug that can't be exploited using a default setting. They typically have the same response to bugs that require a decent amount of user interaction.
Since the same group that designs the software is also responsible for rating the bugs, it's hard to get too excited about the critical bug trend data. That said, the overall trend for bugs with a critical rating validates Microsoft's internal focus on improving the security of their products. It's definitely paying off, and that's a positive for everyone in IT."