14 DAY TRIAL // As a tangent to Symantec's overview of the February 2007 Microsoft Patch Tuesday, the Cupertino-based security company managed to have a look at the Redmond juggernaut's history associated with resolving client side vulnerabilities. Client-side vulnerabilities are the software holes that require the user interaction in order for a successful exploit to be carried out. The user would have to click a link, visit a webpage, execute an email attachment in order to permit the attack.
"We all know that Microsoft has been patching more and more client-side issues lately. I had to wonder though, how may more? How rapid has this rise been, and when did it start? Luckily, I have the Symantec/SecurityFocus Vulnerability Database handy, and I decided to do some digging," explained Ben Greenbaum, Symantec Senior Security Response Researcher.
What Symantec has found is that Microsoft has been increasingly patching client side vulnerabilities since 2004. And while three years ago the Redmond Company accounted for a number of vulnerabilities smaller than 10, that number has grown constantly ever since, peaking in 2006 at over 40 client-side flaws.
This means that while in 2004, patched client-side vulnerabilities made up approximately 20% of all the issues resolved by Microsoft, at the end of 2005 their volume had more than doubled just to come to an apex of 80% in 2006.
"I should point out that the figure below illustrates patched vulnerabilities, not patches per se. If fixing one vulnerability requires four patches, one for each affected platform, then that counts as one. If one patch addresses three vulnerabilities, then that counts as three," Greenbaum explained.
Image courtesy of Ben Greenbaum.
