Looking at the raw numbers, Microsoft had a good year for security in 2012.
In 2011, Microsoft released a total of 100 security updates. In contrast, for 2012 Microsoft was able to reduce that number to 83. In terms of severity, Paul Henry, security and forensic analyst at Lumension, noted that there were 35 critical vulnerabilities in 2012, up from 34 in 2011. In 2011 there were 63 bulletins rated as important, while in 2012 that number declined to 46.
Microsoft’s vulnerability improvement in 2012 isn’t just about lowering the security bulletin count, according to Rapid7 CISO and Metasploit founder HD Moore.
“It seems like the market for Windows vulnerabilities has burned up most of the easy-to-find bugs, and the folks who would normally report the big ones are keeping them private,” Moore told eSecurity Planet.
Microsoft’s SDL Process
From Microsoft’s perspective, the improvement in numbers for 2012 is all part of the company’s continued efforts to improve security.
“Microsoft works extensively with the security research community to address issues found through their efforts, in addition to performing significant code review of all Microsoft products via the Security Development Lifecycle (SDL) process,” Dustin Childs, group manager, Response Communications, at Microsoft Trustworthy Computing told eSecurity Planet.
The SDL process was first announced back in 2003, as Microsoft struggled to fight back against a torrent of security challenges. As far back as 2005, Microsoft was already claiming a significant improvement in security as a result of the SDL. “The SDL is intended to help reduce the number and severity of vulnerabilities in software and services,” Childs said. “As such, improvements in Microsoft software and services such as defense-in-depth security enhancements make vulnerabilities more difficult to exploit.”
MS12-020 and Other Flaws
Though Microsoft has made strides to improve security in 2012, a few interesting flaws surfaced. Moore highlighted Bulletin MS12-020, a vulnerability in the Remote Desktop service, that he said stood out among the others. The MS12-020 vulnerability was patched in the March Patch Tuesday update.
“This vulnerability had a lot of buzz due to the number of affected systems and the Critical rating provided by Microsoft, but ended up being difficult if not impossible to actually exploit,” Moore said.
Moore also highlighted the MS12-063 Internet Explorer bulletin. That bulletin was actually an emergency out-of-band patch that was missed in the September Patch Tuesday update.
“This issue was found in the wild and was actively used to install malware,” Moore said. “The potential impact was high enough that the German government told its citizens to stop using Internet Explorer altogether.”
Microsoft’s Security Future
Looking forward to 2013, Microsoft aims to continue to improve its security posture. Childs noted that software development is an evolving process, and the SDL does not see threats to the computing ecosystem as being static.
“The Security Development Lifecycle (SDL) was built on the concept of mitigating classes of potential exploits rather than specific exploits, and reducing vulnerabilities to help provide protection against unforeseen threats,” Childs said. “We intend to continue evolving the SDL to meet new threats, focusing on not only maintaining and improving, but also looking at new architectures that will continue to allow us to expand our protection capabilities.”
From Moore’s perspective 2013 will be interesting due to the fact that many of the common software vulnerabilities that have historically affected Windows are becoming incredibly difficult to exploit due to operating system-level mitigations.
“The additional improvements in Windows 8 and the sky-high market for zero day may reduce the public visibility of security flaws to an all-time low,” Moore said. ” Microsoft still has work to do, but relative to other large software vendors, their ability to respond to security issues this year has improved. “