Study Shows Record Year For Patches To Microsoft Products

From that it can be decided that more of the uncovered flaws from yesteryear are being exploited, or else the company simply continues to make the same mistakes over and over.

I have an idea it is both, but I am also wondering, as I daydream for awhile, if the company should not have a few full time “librarians” of code, that not only put the code away, but annotate each and every area of code that is attacked, with an analysis of why it happened – and then it should be available to every coder that the company has (probably on a Blu-ray disc) so that the same mistakes are not made again.

I know I keep harping on this, but it is so strange when we keep having the same sort of problems exploited, month after month. It would seem that, if the code of problem areas was put into a fuzzy search, then each time a Microsoft product that was analyzed, was found to have the same basic code, the fixes could be applied before it became exploited later.

The proactive approach is spoken of in other areas of our lives; why is it not used in software? Should good coding design not be a part of RAD?

The Security column at ZDNet tells of the statistical analysis done, and perhaps what will be changing.

Microsoft dropped its largest ever batch of security patches today to cover a record 49 security vulnerabilities, including several browser flaws that could expose Internet Explorer users to drive-by malware downloads.

The Internet Explorer bulletin (MS10-071) fixes a total of 12 vulnerabilities and because of the risk of zero-click drive-by download attacks, Microsoft is urging Windows users to apply this patch immediately.

Users of other browsers don’t have this problem. Over and over in the past 3 years, it has been shown that a major way of combatting attacks on a Windows machine is to eschew the use of Internet Exploder.

Windows users should also pay special attention to MS10-076, which covers a serious flaw in the way the operating system handles embedded OpenType (EOT) fonts.  This update is rated “critical” for all versions of Windows (including Windows 7 and Windows Server 2008) and can be exploited to launch remote code execution attacks if a computer user simply surfs to a booby trapped Web site.

Another case where it may be fixed now, but since Windows 7 was supposed to have solved most of the flaws of Windows XP, and then Vista, why does this affect them all? Mistakes made over and over again.

Microsoft also urged system administrators to treat these bulletins with the highest priority:

  • MS10-077: Addresses a vulnerability in .NET Framework that could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs).  This bug only affects 64-bit systems on all supported versions of Windows.
  • MS10-075: Fixes a vulnerability in Windows Media Player that could be exploited via malicious RTSP network packets to Windows Vista and Windows 7 client on the same network.  This only affects Windows users who has opted-in to Windows Media Network Sharing service.  However, keep in mind that Windows 7 Home Edition opts-in by default.

The Microsoft Office productivity suite also underwent a major security makeover in this month’s patch batch.  Two of the 16 bulletins address a whopping 26 vulnerabilities in Microsoft Office.

According to Microsoft, some of these Office flaws can be exploited via rigged .doc or .xls (Word or Excel files).

According to Jason Miller, data and security team leader at Shavlik Technologies, Microsoft has released a total of 86 new security bulletins in 2010.

Compared to previous years, you can see this number has far exceeded any previous total:

  • 2009 – Total 74 security bulletins
  • 2008 – Total 78 security bulletins
  • 2007 – Total 69 security bulletins

Miller notes that there are three bulletins this month that affect 3rd party (non-Microsoft) software.

“With these bulletins, vulnerabilities exist in the Microsoft operating system. However, Microsoft software is not affected and cannot be exploited. An attacker must try to exploit the third party product on unpatched systems. MS10-081 and MS10-082 affect non-Microsoft web browsers. MS10-074 affects third party zip programs. Patching the operating system will close these vulnerabilities,” Miller said.

Here’s a handy cheat sheet from Microsoft’s security research and defense team to help you assist the risks involved with each bulletin.

Wouldn’t it be refreshing to not have a single patch needed on the second Tuesday of a coming month?

§

Download Opera – A faster and more secure Web browser.

one of the best ways to remove threats to your Windows installation!

®