Microsoft announced today that the second Patch Tuesday of 2012 will see nine security bulletins, four of which were deemed critical.
Three of the four critical bulletins address vulnerabilities in Windows, one of which also targets an Internet Explorer flaw that Wolfgang Kandek, CTO of Qualys, says should be treated with the “highest priority.” This is because browser-based vulnerabilities have been exposed more quickly of late than those for legacy software, Kandek says.
The fourth critical bulletin targets the .NET framework and Silverlight. As for the remaining bulletins, all five are rated “important.” Four address vulnerabilities in Windows while another resolves an issue with Office and Server Software.
With the release Microsoft will exceed the seven bulletins issued last month, as well as nearly tripling the number of vulnerabilities addressed, from eight in January to 21 this month.
However, when the trends of the past few years are taken into account, the second Patch Tuesday of 2012 has been seen as a sign of continued progress for Microsoft security. Paul Henry, security and forensic analyst at Lumension, called this Patch Tuesday a “pretty sweet Valentine’s day” for the IT professionals responsible for implementing the bulletins, especially when compared to the last two year. Microsoft sent 12 patches and addressed 22 vulnerabilities in February 2011, a year after issuing 13 bulletins that addressed 26 vulnerabilities.
Especially coming off a similarly light January Patch Tuesday, in which seven bulletins were issued but just eight vulnerabilities were addressed, Henry says there are signs of optimism for Microsoft security.
“We’ve had two fairly light patching periods in a row, with just seven from Microsoft last month,” Henry says. “Clearly, the company’s renewed focus is paying off.”
Tuesday’s upcoming patch will bring the total number of security bulletins in 2012 to 16. In comparison, Microsoft had issued 14 combined patches in the first two months of 2011, following a light, two-patch month last January.
Despite the slightly higher total in overall bulletins compared to the same time last year, Henry has said security improvements in updated versions of Microsoft products have been evident in the continued decline in security patches. In 2011, Microsoft issued just 100 patches, down from 106 the year prior. The company also saw its lowest level of bulletins rated critical in 2011, at 32, since it began issuing them monthly in 2004.