Microsoft incorrectly claims stop by vulnerabilities that permit remote code execution
In the latest annual security report, Microsoft claimed some progress in heading off vulnerabilities that permit remote code execution.
However the initial form of the report released Monday contained errors, along with a remedied version no more claims the final amount of vulnerabilities allowing remote code execution is shedding.
The very first form of the report stated “vulnerabilities that can lead to remote code execution have dropped considerably in percentage terms as well as in raw figures.” However, after Network World stated inconsistencies between figures within the text as well as an associated chart, Microsoft released an up-to-date version that states remote code execution vulnerabilities “have dropped in percentage terms” only.
In fiscal 2011, 62.8% of vulnerabilities permitted remote code execution, lower from 70.8% this year and 74.1% in 2008, based on the Microsoft Security Response Center’s third annual progress report.
Microsoft released 117 security bulletins covering 283 vulnerabilities within the 12-month period ending June 2011, a greater total than most of the previous 5 years covered within the report. Microsoft releases a number of patches covering numerous products on Patch Tuesday, the 2nd Tuesday of every month.
In fiscal 2010, there have been 88 security bulletins covering 211 vulnerabilities in Microsoft products. In line with the percentages provided by Microsoft, about 149 of individuals vulnerabilities permitted remote code execution. This Year, time leaped to around 178, there were 29 additional vulnerabilities allowing remote code execution in the newest 12-month period.
They are estimates just because a Microsoft representative declined to specify exactly the number of remote code execution vulnerabilities have been discovered every year, as well as wouldn’t provide statistics on other kinds of vulnerabilities.
“Typically [Microsoft] does not share the particular quantity of remote code executions or what kinds of vulnerabilities elevated or decreased,” the representative authored within an email.
Around the vibrant side, Microsoft’s report states vulnerability statistics show newer versions of their software are less vulnerable than older ones, that is no real surprise. About 38% of vulnerabilities were “less serious or nonexistent around the new edition from the affected application than you are on earlier versions.” Only 3% of vulnerabilities “affected the newest version although not older versions.”
However It pros at Microsoft shops continue to be burdened with growing figures of patches to deploy. By deploying just the most serious patches and taking advantage of just the current versions of Home windows client and server software, customers might have reduced the amount of patches from 117 to 24 in the newest 12-month period.
Still, “Microsoft recommends that buyers install all relevant security updates,” so skipping less serious fixes is not advised. “Exploitation techniques change with time, and recently developed techniques makes it simpler to have an attacker to take advantage of vulnerabilities which had formerly been harder to effectively exploit,” Microsoft stated.