Evolution of Malware

Exploit Trends and Security Bulletins

The Microsoft Security Engineering Center (MSEC) is one of three security centers that helps protect customers from malware. The MSEC focuses on ways to develop more secure products and services from the software engineering perspective, through efforts such as the Microsoft Security Development Lifecycle (SDL) and security science.

The Microsoft Security Response Center (MSRC) identifies, monitors, resolves, and responds to Microsoft software security vulnerabilities. The MSRC releases security bulletins each month to address vulnerabilities in Microsoft software. Security bulletins are numbered serially within each calendar year. For example, “MS11-057” refers to the 57th security bulletin released in 2011.

Security bulletins are typically released on the second Tuesday of each month, although on rare occasions Microsoft releases an “out-of-band” security update to address an urgent issue. One out-of-band update was released in 2011.

The following figure shows the number of security bulletins and out-of-band updates issued since 2005, which was when Microsoft released the first version of the Malicious Software Removal Tool (MSRT).

MSRC security bulletins released since 2005

MSRC security bulletins released since 2005

A single security bulletin often addresses multiple vulnerabilities from the CVE database, each of which is listed in the bulletin, along with any other relevant issues. The following figure shows the number of security bulletins released and the number of individual CVE-identified vulnerabilities that they have addressed in each half-year period since 1H05. (Note that not all vulnerabilities are addressed in the period in which they are initially disclosed.)

Number of MSRC security bulletins and CVE-identified vulnerabilities addressed

Number of MSRC security bulletins and CVE-identified vulnerabilities addressed

Click on the image to enlarge.

In 2011 the MSRC released 100 security bulletins that addressed 236 individual CVE–identified vulnerabilities, decreases of 7% and 6%, respectively, from 2010. As the following figure shows, the average number of CVEs addressed by each security bulletin has increased over time, from 1.5 in 1H05 to 2.4 in 2H11.

Average number of CVEs per MSRC security bulletin

Average number of CVEs per MSRC security bulletin

Click on the image to enlarge.

Whenever possible, the MSRC consolidates multiple vulnerabilities that affect a single binary or component to address them in a single security bulletin. This approach maximizes the effectiveness of each update and minimizes the potential disruption that customers face from testing and integrating individual security updates into their computing environments.

Top of page Top of Page

Featured Articles

Locations

United States Change All Microsoft Sites

Search

Feedback:

Was the information in this article helpful?