The number of critical Patch Tuesday bulletins dropped by almost half last year, but Microsoft will have its job cut out in 2015 with more out-of-band fixes likely to be released as Google’s Project Zero team continues to push, according to Tripwire.
The security and compliance firm has compiled an analysis of last year’s Microsoft patch data and found, surprisingly, that there were just 28 critical bulletins, as opposed to 42 in 2013.
Less surprising is that Internet Explorer comprised 43% of those critical bulletins in 2014.
The data also revealed that the average number of bulletins each month dropped from nine in 2013 to seven last year, which is good news for time-poor system admins.
However, the number of vulnerabilities addressed increased by 20% in the second half of 2014 – so effectively Microsoft is “packing in more CVEs per bulletin in 2014,” according to Tripwire security researcher Lane Thanes.
He predicted that Microsoft would continue to do so in 2015, with the majority of patches again addressing Internet Explorer problems.
There’s also likely to be increasing pressure on the Redmond security team from its rival in Mountain View.
“It’s possible that we will see an uptick in the number of out-of-band Microsoft security bulletins due to Google’s Project Zero,” said Thanes. “On average, Microsoft will only have 70 to 80 days to fix, test and deliver patches for vulnerabilities discovered by Project Zero, given the fixed Patch Tuesday cycle and Project Zero’s rigid 90-day time frame.”
Google and Microsoft had a very public falling out over vulnerability disclosure when the Project Zero team released details of a vulnerability just two days before it was due to be addressed in the January Patch Tuesday.
Google has a strict rule of public disclosure if a vendor fails to patch within 90 days.
However, the security community is divided over which firm is in the right on this issue – with some applauding Google for forcing Microsoft’s hand whilst others think it is being irresponsible and potentially exposing customers to unnecessary risk.
Sans Institute fellow, Ed Skoudis, embodies this schism, claiming to hold two “very conflicting but equally held views.”
“The first is that Google is doing this because it’s big, powerful and fully lawyered up. If a small research team did what they did, they would get fried by the industry and maybe face lawsuits,” he told Infosecurity by email.
“However, my other side says this is awesome. By shining a light on this issue, they are forcing major software vendors to put more priority into fixing these issues which will ultimately make our industry more secure.”
He added that Google would do well in the future to show “some granular judgement” about vulnerability disclosure.
Tripwire director of security R&D, Lamar Bailey, argued that the increasing pressure on Microsoft to fix bugs being actively exploited in the wild could cause problems in 2015.
“Microsoft must take quality very serious – even a 1% failure rate on an IE patch is a huge number of affected systems,” he told Infosecurity.
“I expect to see patches this year that don’t completely fix a vulnerability and require multiple patches to completely remediate the vulnerability, but I don’t expect any broken patches.”