Decrease in Critical Issues and Bulletins
As far as individual issues, Critical-class CVEs accounted for less than a third of the issues we addressed in bulletin releases for the first time since we began our monthly bulletin-release cadence in 2004.And in absolute numbers, Critical-class CVEs are at their lowest levels since 2005. The fact that we’re seeing lower percentages of Critical issues and bulletins year-over-year demonstrates progress made by the product groups in creating more secure software.
With this regularly scheduled monthly release, our bulletin count for 2011 is 99, with 13 released today. Of those, we determined 10 to be Important-class bulletins, with only three classified as Critical in severity. In 2011, Critical-class bulletins represented just 32 percent of all bulletins – the lowest percentage since we began our monthly bulletin-release cadence in 2004 and, again, the lowest absolute number since 2005. Interestingly, for the second half of the year the numbers are even lower, with under 20 percent of bulletins released in the last six months rated Critical in severity.
Even though there are fewer Critical-class security updates year-over-year, we know that any update has the potential to be disruptive for customers. And so we work hard to make our update process as smooth and transparent as possible for customers – with no surprises. As part of that commitment, in 2011 we were able to address reported security issues effectively without resorting to emergency releases outside of the regular scheduled monthly releases. We understand the disruption that these “out-of-cycle” releases create for customers, and we take the decision to release an update out of cycle very seriously. Effective coordination with product teams, greater use of threat telemetry, the ability to release workarounds, and the ability to release defenses through partners like those in Microsoft’s Active Protection Program (MAPP) have all helped us to release all our 2011 bulletins in the usual monthly process. We’re glad about that, even though we will always reserve the right to release out-of-cycle if the situation merits it.Continue: A look back at 2011’s security landscape - MSRC - Site Home - TechNet Blogs