Patch Tuesday, the unofficial day on which Microsoft regularly releases security updates for its software products, has long been a staple of the information security community. On the second (and sometimes fourth) Tuesday of every month, Microsoft releases a unique set of security bulletins that provide patches for a range of new Common Vulnerabilities and Exposures (CVEs) – flaws which are generally either not well known or too obscure to warrant an earlier fix. In this regard, each Patch Tuesday is distinct from one another. The discreteness of each Patch Tuesday notwithstanding, Tripwire’s Vulnerability and Exposures Research Team (VERT) decided to analyze this security hallmark’s evolution over a period of five years. The team’s research underscores Tripwire’s commitment to understanding how Patch Tuesday, as well as the field of information security more generally, is changing. Significantly, after measuring the difference in CVE count and bulletin count, as well as the ratio of CVE count and bulletin count, Tripwire’s VERT team found that Microsoft is packing more CVEs per bulletin, a trend which is increasing over time. This finding is illustrated in the graph below:
Lane Thames, Software Development Engineer at Tripwire, believes that two factors could be responsible for this development. The first is known as Million Lines Of Code (MLOC). As Thames explains, “For a non-retired piece of software, MLOC generally grows over time for most software, which is matched by an increase in the total number of software defects. This is due to software complexity. Consequently, as the Microsoft code base continues to grow, so too does its overall defect rate and hence its overall vulnerability (CVE) rate.” Though such an observation needs to be correlated with other data, such as actual MLOC counts, this growth in the number of CVEs patched by Microsoft on a monthly basis might represent a positive development. “CVEs represent vulnerabilities that have been discovered, and in Microsoft’s case (for the ones provided by the bulletins and Patch Tuesday), vulnerabilities that have been fixed,” reasons Thames. “So, the increasing number of CVEs (and CVEs per bulletin) shows that Microsoft is fixing more and more defects/vulnerabilities per unit time.” Another factor that might be responsible for the rise in CVEs patched per bulletin could be Microsoft’s software maturity. Each year, a growing base of security researchers use advanced tools, such as fuzzers, as well as a growing understanding of how various MS software products inherit code from one another to detect and share vulnerabilities more quickly with Microsoft. Even so, this “maturity” on Microsoft’s part represents a double-edged sword. “If you see an increasing rate of CVEs discovered and disclosed by the good guys,” explains Thames, “It would not surprise me that you would see a similar increasing rate of vulnerabilities found by the bad guys. The difference is that these discoveries will not be reported to MS and would instead be used where appropriate to attack businesses, governments, and the rest of us.”
An increase in the number of CVEs is not the only significant finding of the VERT team’s research. As displayed above, whereas the number of Internet Explorer bulletins has increased over a period of five years, the number of critical bulletins released by Microsoft has actually decreased. In fact, 2014 registered the lowest number of critical bulletins at 28, a third less than those issued the previous year. Craig Young, Computer Security Researcher with VERT, believes that Windows XP may have had something to do with this trend: “Although I cannot see any particular drop-off specific to the XP end-of-life, it may be the case that dropping XP support is responsible for the reduced number of critical bulletins due to improved defensive measures in the newer supported versions. The overall bulletins, however, did not decrease due to how much code (and hence vulnerability) is shared from XP into the newer systems.” But as with many developments in the field of information security, a number of factors are likely at play, not the least of which is how malicious actors may be changing their tactics. “A slight decline in bulletins either shows improvements in security-conscious coding from Microsoft or attackers becoming better at keeping vulnerabilities quiet,” explains Lamar Bailey, who is responsible for leading Tripwire’s VERT team. “The discovery of Heartbleed and POODLE has shown there is a lot of research being done in open source projects where it is easier to find vulnerabilities due to the ability to review the actual code. Many commercial products use some open source code in their solutions, so a vulnerability discovered in a popular open source project could result in exploits for a much larger list of products.” To review the rest of the findings reported by Tripwire’s VERT team, please click here.
