Tuesday, December 13, 2005

2 Bulletins, 5 Flaws and Keeping Count

As expected, Microsoft's security train dropped off two bulletins with patches for five holes -- in IE and in the Windows kernel.

As I noted in an earlier entry on counting vulnerabilities, Microsoft's PR machine loves to use the number of bulletins to boast of software securitiy improvements but if you go back and count the number of vulnerabilities fixed in the 55 bulletins released in 2005, you'll get a better picture of just how many fixes are coming out of Redmond.

And that's just those they tell us about. Remember, the MSRC has repeatedly told us that the patch-creation process involves a healthy dose of code auditing to find -- and fix -- additional things related to the bug reported by an external researcher.

A quick aside on today's patch day: I'm told that the IE update does fix the drive-by exploit vector but does appear to be quite buggy. The attack (exploit) seems to hang the machine even though it's not getting through. It takes a few minutes for the hang to go away.