Microsoft patched more Common Vulnerability Exposures in 2014 than any other year, but number of critical fixes falls
Security and compliance specialist Tripwire has released its analysis of Microsoft’s patch data from 2014.
It found that the average number of Common Vulnerability Exposures (CVEs) increased by 20 percent in second half of 2014.
Tripwire’s Vulnerability and Exposure Research Team (VERT) has been collecting and analysing this data since 2009. It has found that last year was a very busy time for Microsoft’s security people, who had to include more patches to vulnerabilities in their regular Patch Tuesday update.
Tripwire also discovered that the average number of bulletins per month decreased from nine to seven between 2013 and 2014.
“The 2014 data clearly shows that Microsoft is packing in more CVEs per bulletin in 2014,” said Lane Thanes, security researcher for Tripwire. “One contributing factor to this change is the growing base of security researchers who disclose Microsoft vulnerabilities, and another factor is the improved research tools researchers have access to that allow them to discover vulnerabilities faster.”
The number of CVEs per month remained static from 2013 to 2014. But after a slow start in the beginning of the year, CVEs increased by 20 percent in the second half of 2014.
But Tripwire did find some good news, after its analysis revealed that there has been 28 critical bulletins in 2014 – down from 42 in 2013. And it seems that Internet Explorer is the main culprit here, with IE making up 43 percent of 2014’s critical vulnerabilities.
Indeed, Tripwire said that there has not been a non-critical IE update since December 2011. There was also two IE updates in 2014, down from 14 in 2013.
Questions have been raised about the long-term future of Internet Explorer, after Microsoft recently revealed a brand new lightweight web browser codenamed “Spartan” will be included in the forthcoming Windows 10 operating system.
So what can we expect this year, patch wise? Well Tripwire’s Thanes has a couple of predictions.
“First, I don’t foresee an abrupt change in the CVE per bulletin density over the next year,” said Thanes. “It is likely that Microsoft will continue to pack a lot of CVEs into every bulletin, and the majority of this density will likely be due to Internet Explorer.”
Second, it’s possible that we will see an uptick in the number of out-of-band Microsoft security bulletins due to Google’s Project Zero,” he said, referring to Google somewhat controversial security research team.
Google’s Project Zero team aims to find and fix critical vulnerabilities in anyone’s technology, not just Google’s, before they can be used in cyber attacks.
But the Google team drew criticism last month when it revealed a flaw in Windows 8.1 that could allow an attacker to gain control of a system by granting a low-level account administrator privileges. The team went public with the bug after the bug was not fixed in 90 days. It recently did a similar thing to Apple, when it went public with a number of flaws with the Mac OS X operating system, after the iPad maker failed to respond with fixes.
“On average, Microsoft will only have 70 to 80 days to fix, test and deliver patches for vulnerabilities discovered by Project Zero, given the fixed Patch Tuesday cycle and Project Zero’s rigid 90-day time frame,” warned Thanes.
“It’s interesting that there was such a massive drop in critical patches from 2013 to 2014,” said Craig Young, security researcher for Tripwire. “Windows XP wound down in April 2014, but I don’t see any drop-off in the trend data specific to its end of life.”
“Dropping Windows XP support could have led to the reduced number of critical bulletins due to the improved security measures of newer versions,” he added. “However, it’s possible that the overall bulletins did not decrease because a lot of Windows XP code continues to be used in Microsoft’s newer systems.”
How well do you know security? Try our quiz and find out!