Microsoft today announced a relatively light load of patches will be delivered on Patch Tuesday next week, along with some numbers that demonstrate public vulnerability disclosures continue to rise.
Four security bulletins, one rated critical, are scheduled to be released next Tuesday. In what’s becoming customary for Patch Tuesday, administrators can expect another cumulative patch roll-up for Internet Explorer addressing a number of remote code execution vulnerabilities in the browser.
The three remaining bulletins, all rated important by Microsoft, include a privilege-escalation bug in Windows 8 and 8.1 as well as Windows Server 2012 and RT. Another bulletin patches a .NET denial-of-service vulnerability in Windows Server 2003, 2008 and 2012, and on the client side OS back to Vista.
Another denial-of-service bug is expected to be patched in Microsoft’s Lync instant messaging and collaboration software.
“The few number of patches expected out next week doesn’t mean you can take a pass on patching this month however,” cautions Russ Ernst, director, product management, Lumension.
Last month, Microsoft patched IE with a cumulative update that addressed 26 vulnerabilities including one exploited in the wild. The news out of last month’s batch of bulletins, however, was a faulty patch, MS14-045, that was re-released after users complained of crashes and blue screens of death. The bulletin addressed vulnerabilities in kernel-mode drivers, and Microsoft blamed font issues for the system crashes.
In the meantime, Microsoft points out in a separate announcement that public vulnerability disclosures are approaching levels matching the first half of 2012, and that more than 4,000 disclosures have been made annually since the start of 2011. That number is still well shy of the 7,000 disclosed in the 2006-2007 timeframe, Microsoft said.
For the last half of 2013, for example, disclosures across the industry were up 6.5 percent from the start of the year, and up 12.6 percent from the second half of 2012. The severity of disclosures, however, is down. A little more than six percent of bugs scored 9.9 or greater on the CVSS standard in the second half of 2013, down from almost 13 percent in the first six months of the year.
“Vulnerability complexity is an important factor to consider in determining the magnitude of the threat that a vulnerability poses,” wrote Microsoft’s Tim Rains in the report. “A high-severity vulnerability that can only be exploited under very specific and rare circumstances might require less immediate attention than a lower-severity vulnerability that can be exploited more easily.”
Disclosures of medium- and low-complexity bugs, posing the highest risk to users, far outnumber disclosures of high complexity vulnerabilities, Microsoft said.
Third-party applications such as media players or Web components such as Flash or Java continue to thrive, with disclosures up 34.4 percent in the latter half of 2013 and accounted for 58 percent of disclosures during that timeframe. Operating system vulnerability disclosures, meanwhile, were down 46 percent and accounted for 15 percent of total disclosures. Browser bugs, meanwhile, were also down 28 percent and made up 10 percent of overall disclosures.
Microsoft also examined disclosures for its products, 174 in the second half of 2013, up 2 percent from the first six months. Microsoft disclosures account for 7 percent of industry disclosures, down slightly from the start of the year.