Data Security

Microsoft Patch Tuesday Shows Secure Coding Pays Off

Microsoft Patch Tuesday Shows Secure Coding Pays Off
December 12, 2012 10:18AM

Bookmark and Share
Security researcher Paul Henry said it was great to see Microsoft's Secure Coding Initiative paying off, reducing the number of vulnerabilities in its software, resulting in an easier time for IT at Patch Tuesday time. Over the year, Microsoft Patch Tuesday released 35 critical security bulletins, 46 important bulletins and two moderate bulletins.

You have the experience and skills, let an ISACA® certification demonstrate your value. Our certifications announce that you have the expertise and insight to speak with authority. ISACA certification is more than a credential; it's a platform that can elevate your career. Register for an Exam Today.

Microsoft's last Patch Tuesday of 2012 rolled out seven patches. Five of them are rated critical and two are rated important. The good news is: none are under active attack.

With December's Patch Tuesday, Microsoft has rolled out 83 security bulletins in 2012. That's significantly down from the 100 security bulletins Redmond released in 2011. Microsoft released 117 security bulletins in 2010.

"Maybe even more important than the raw numbers is the more regular release rhythm that Microsoft set this year," said Wolfgang Kandek, CTO at Qualys. "We see this as a clear sign of a more mature process."

Prioritizing the Patches

Looking at December's patches, five of this month's bulletins are rated as critical. That means an attacker can use the vulnerabilities Microsoft is fixing to gain complete control over the victim's machine.

"Of the five, we think that MS12-079, a bulletin for Microsoft Word, is the most important. The attack can be accomplished through e-mail using a flaw in the Rich Text Format," Kandek told us. "An attacker can gain control of a computer without end user interaction because Microsoft Outlook automatically displays the malicious text in the Preview Pane."

Kandek pointed to a potential work-around: manually configuring the preview pane in Outlook's Trust Center to use plain text only. The downside is you lose a significant amount of functionality by opting for this workaround.

Kandek put the Internet Explorer bulletin MS12-077 in a close second with regard to IT patching priorities. MS12-077 addresses vulnerabilities in IE 9 and 10, the newest versions of IE that run under Vista, Windows 7 and Windows 8.

"Here, an attacker would have to lure the attack target to browse to a malicious Web page," Kandek said. "This is a tad harder than sending the target a simple e-mail, another common attack method."

Secure Coding Initiative Pays Off

Paul Henry, a security and forensic analyst for Lumension, also pulled the camera back and took a wide view of 2012. With the multitude of third-party application patching needed this year from the likes of Adobe, Java and even Apple, he said, you likely didn't notice Microsoft put out 20 percent fewer patches in 2011.

Over the year, Microsoft Patch Tuesday released 35 critical bulletins, 46 important bulletins and two moderate bulletins. Henry said it was great to see Microsoft's Secure Coding Initiative paying off, reducing the number of vulnerabilities in its software, resulting in an easier time for IT at Patch Tuesday time.

"A look back over the last couple of years proves interesting. In 2011, January had two bulletins, while February had 12. March then went back down to three, but April went up to 17. May had two and June went back up to 16," Henry said.

"In contrast, January of this year had seven patches, February had nine, then six in both March and April, and seven in both May and June. In fact, only one month -- September, at three -- was lower than six or higher than nine. The degree of consistency makes it easier for IT to plan out the time and effort they'll need to spend on Patch Tuesday each month."

Tell Us What You Think
Comment:

Name:

Norm:

Posted: 2012-12-13 @ 10:29am PT
@Shickadee: Mine went smoothly. You might want to try again, but also report the problem directly to Microsoft. Good luck.

Shickadee:

Posted: 2012-12-13 @ 10:26am PT
This December's update couldn't make it past the 7th of twelve updates. After waiting more than 1/2 a day for it to complete, I finally chanced it and restarted my computer. Thankfully it recovered okay. This is the 1st time this has happened, with all the Windows 7 updates. Has anyone else had this problem?



 Data Security
1. Juniper DDoS for High-IQ Networks
2. Google Hacker Team to Hunt Bugs
3. Cloud Firms Offer Azure Starter Kit
4. FBI Cyber-Expert's Humble Start
5. Chinese Hackers Hit U.S. Officials




 Most Popular Articles
1. Experts Say Four Threats Put Internet Freedom at Risk
2. Gartner Rates Security Solutions in Annual Magic Quadrant Report
3. Google I/O Conference Brings a Lot for Businesses
4. IBM Earmarks $3B for Next-Gen Cloud Computing Chips
5. Focus on Security in New Dell Products, Upgrades


Have an informed opinion on this story?
Send a Letter to the Editor.
We want to know what you think.
Send us your Feedback.

 Related Topics  Latest News & Special Reports

  Juniper DDoS for High-IQ Networks
  Seagate Unveils Networked Drives
  Google Hacker Team to Hunt Bugs
  Cloud Firms Offer Azure Starter Kit
  FBI Cyber-Expert's Humble Start

 Technology Marketplace
Big Data
Unlock your enterprise data's potential. Learn how in the research report.
Are you getting everything you can out of your business data?
 
Business Intelligence
Get real-time, cloud-based information services with Neustar.
 
CIO Issues
Secure and retain skilled technology professionals. Learn how.
 
Cloud Computing
Are you getting everything you can out of your business data?
 
Data Storage
Unlock your enterprise data's potential. Learn how in the research report.
 
Enterprise Hardware
Protect your network with APC Smart-UPS battery backup
Cisco UCS Invicta Series flash memory systems
 
Enterprise I.T.
Register for an upcoming ISACA® certification exam today
Secure and retain skilled technology professionals. Learn how.
 
Enterprise Software
Unlock your enterprise data's potential. Learn how in the research report.
 
Hardware
Protect your network with APC Smart-UPS battery backup
Ferocious productivity. A fearless team of pros. Find Out More
Cisco UCS Invicta Series flash memory systems
 
Network Security
Protect your network with APC Smart-UPS battery backup
 
Small Business
Ferocious productivity. A fearless team of pros. Find Out More