CIO Today

CIO Today Network Sites:   Top Tech News  |   CIO Today   |   Mobile Tech Today   |   Data Storage Today
Daily Briefing for Technology's Top Decision-Makers
Wednesday, April 23rd 
24/7/365 Network Uptime!
This ad will display for the next 20 seconds. Please click for more information, or scroll down to pass the ad, or Close Ad.
Trending Topics:   Security Heartbleed Big Data Cloud Computing Windows XP Data Centers OS X Mavericks
Home
Enterprise Software
Enterprise Hardware
Big Data
Network Security
Cloud Computing
CRM Systems
Data Storage
Operating Systems
Communications
CIO Issues
Mobile Tech
Chips & Processors
World Wide Web
Business Briefing
After Hours
Press Releases
 
Free Newsletters
Top CIO News
 
Mobile Tech Today
 

Network Security

Microsoft Patch Tuesday Shows Secure Coding Pays Off

Microsoft Patch Tuesday Shows Secure Coding Pays Off
December 12, 2012 10:18AM

Bookmark and Share
Security researcher Paul Henry said it was great to see Microsoft's Secure Coding Initiative paying off, reducing the number of vulnerabilities in its software, resulting in an easier time for IT at Patch Tuesday time. Over the year, Microsoft Patch Tuesday released 35 critical security bulletins, 46 important bulletins and two moderate bulletins.

Neustar, Inc. (NYSE: NSR) is a trusted, neutral provider of real-time information and analysis to the Internet, telecommunications, information services, financial services, retail, media and advertising sectors. Neustar applies its advanced, secure technologies in location, identification, and evaluation to help its customers promote and protect their businesses. More information is available at www.neustar.biz.

Microsoft's last Patch Tuesday of 2012 rolled out seven patches. Five of them are rated critical and two are rated important. The good news is: none are under active attack.

With December's Patch Tuesday, Microsoft has rolled out 83 security bulletins in 2012. That's significantly down from the 100 security bulletins Redmond released in 2011. Microsoft released 117 security bulletins in 2010.

"Maybe even more important than the raw numbers is the more regular release rhythm that Microsoft set this year," said Wolfgang Kandek, CTO at Qualys. "We see this as a clear sign of a more mature process."

Prioritizing the Patches

Looking at December's patches, five of this month's bulletins are rated as critical. That means an attacker can use the vulnerabilities Microsoft is fixing to gain complete control over the victim's machine.

"Of the five, we think that MS12-079, a bulletin for Microsoft Word, is the most important. The attack can be accomplished through e-mail using a flaw in the Rich Text Format," Kandek told us. "An attacker can gain control of a computer without end user interaction because Microsoft Outlook automatically displays the malicious text in the Preview Pane."

Kandek pointed to a potential work-around: manually configuring the preview pane in Outlook's Trust Center to use plain text only. The downside is you lose a significant amount of functionality by opting for this workaround.

Kandek put the Internet Explorer bulletin MS12-077 in a close second with regard to IT patching priorities. MS12-077 addresses vulnerabilities in IE 9 and 10, the newest versions of IE that run under Vista, Windows 7 and Windows 8.

"Here, an attacker would have to lure the attack target to browse to a malicious Web page," Kandek said. "This is a tad harder than sending the target a simple e-mail, another common attack method."

Secure Coding Initiative Pays Off

Paul Henry, a security and forensic analyst for Lumension, also pulled the camera back and took a wide view of 2012. With the multitude of third-party application patching needed this year from the likes of Adobe, Java and even Apple, he said, you likely didn't notice Microsoft put out 20 percent fewer patches in 2011.

Over the year, Microsoft Patch Tuesday released 35 critical bulletins, 46 important bulletins and two moderate bulletins. Henry said it was great to see Microsoft's Secure Coding Initiative paying off, reducing the number of vulnerabilities in its software, resulting in an easier time for IT at Patch Tuesday time.

"A look back over the last couple of years proves interesting. In 2011, January had two bulletins, while February had 12. March then went back down to three, but April went up to 17. May had two and June went back up to 16," Henry said.

"In contrast, January of this year had seven patches, February had nine, then six in both March and April, and seven in both May and June. In fact, only one month -- September, at three -- was lower than six or higher than nine. The degree of consistency makes it easier for IT to plan out the time and effort they'll need to spend on Patch Tuesday each month."

Tell Us What You Think
Comment:

Name:

Norm:

Posted: 2012-12-13 @ 10:29am PT
@Shickadee: Mine went smoothly. You might want to try again, but also report the problem directly to Microsoft. Good luck.

Shickadee:

Posted: 2012-12-13 @ 10:26am PT
This December's update couldn't make it past the 7th of twelve updates. After waiting more than 1/2 a day for it to complete, I finally chanced it and restarted my computer. Thankfully it recovered okay. This is the 1st time this has happened, with all the Windows 7 updates. Has anyone else had this problem?



 Network Security
1. Verizon Report Exposes Cyberthreats
2. How Are Web Sites Post-Heartbleed?
3. White House Updating Privacy Policy
4. Target Hackers May Be Tough To Find
5. Heartbleed Exploit Could Cost Millions




 Most Popular Articles
1. BlackBerry Drops T-Mobile After Nasty Spat
2. Cisco, IBM Launch Internet of Things Consortium
3. Salesforce CRM Gets Industry Specific for Internet of Customers
4. Intel Bets on Cloudera for Big Data Analytics
5. SAP HANA Data Warehouse App Gets Faster Analytics


Have an informed opinion on this story?
Send a Letter to the Editor.
We want to know what you think.
Send us your Feedback.

 Related Topics  Latest News & Special Reports

  Hortonworks, Concurrent To Partner
  Microsoft, BMC Targeting VMware
  AT&T in $500M Net Video Partnership
  Verizon Report Exposes Cyberthreats
  Samsung: $2.2B Too Much for Apple

 Technology Marketplace
Business Intelligence
Get real-time, cloud-based information services with Neustar.
 
Cloud Computing
Next Generation Data Center Is Here! Vblock™ Systems from VCE
 
Contact Centers
HP delivers the future of the contact center with HP Qfiniti 10.
 
Data Storage
Next Generation Data Center Is Here! Vblock™ Systems from VCE
Barium Ferrite (BaFe) is the future of tape.
2.5" Enterprise-class SATA & SAS SSDs for server & storage applications
 
Enterprise Hardware
Barium Ferrite (BaFe) is the future of tape.
2.5" Enterprise-class SATA & SAS SSDs for server & storage applications
 
Hardware
Protect your network with APC Smart-UPS battery backup
 
Network Security
Protect your network with APC Smart-UPS battery backup
 

Network Security Spotlight
Verizon Data Breach Report Exposes Top Threats
Beyond Heartbleed, there are cyberthreats vying to take down enterprise networks, corrupt smartphones, and wreak havoc on businesses. Verizon is exposing these threats in a new report.
 
Where Do Web Sites Stand, Post-Heartbleed?
A security firm says the vast majority of Web sites have patched themselves to protect against the Heartbleed bug, but now there are questions raised on the reliability of open-source programs.
 
White House Updating Online Privacy Policy
A new Obama administration privacy policy explains how the government will gather the user data of online visitors to WhiteHouse.gov, mobile apps and social media sites, saying much is in the public domain.
 
Navigation
CIO Today
Home/Top News | Enterprise Software | Enterprise Hardware | Big Data | Network Security | Cloud Computing | CRM Systems
Data Storage | Operating Systems | Communications | CIO Issues | Mobile Tech | Chips & Processors | World Wide Web
Business Briefing | After Hours | Press Releases
Also visit these Enterprise Technology Sites
Top Tech News | CIO Today | Mobile Tech Today | Data Storage Today

Services:
FreeNewsFeed | Free Newsletters | XML/RSS Feed

About CIO Today Network | How To Contact Us | Article Reprints | Services for PR Pros (In partnership with NewsFactor) | Top Tech Wire | How To Advertise

Privacy Policy | Terms of Service
© Copyright 2000-2014 CIO Today. All rights reserved. Article rating technology by Blogowogo. Member of Accuserve Ad Network.