Monday, October 17, 2005

Counting Vulnerabilities

The New York Times sits in on on Microsoft's Blue Hat v2 and offers the following:

"Microsoft executives also cite a decline in the number of security bulletins issued for major products like Windows Server and Office as evidence that the new engineering discipline is having an impact.

There were 69 such bulletins issued for Windows 2000 Server in two and a half years and only 41 for Windows Server 2003 in a comparable period, the company said.

Eleven bulletins were issued for the 2001 version of Office XP during the first 594 days after its introduction; for Office 2003, there were six bulletins in the same period. For the last two Windows XP updates, 35 bulletins were issued for Service Pack 1 in the year ended last June but only 18 for Service Pack 2."

It's quite amusing to see Microsoft touting security improvements by the number of bulletins released when it's commonplace to find multiple vulnerabilities patched in a single bulletin. An example, in October, Microsoft issued nine bulletins that patched 14 bulletins.

Just for fun, I'll do the flaw count for the period listed in the New York Times story and the results should be interesting.