Analysis of Critical Microsoft Patches in the Second Half of 2008

During the year-end slowdown Qualys analyzed anonymous data captured by us during our global vulnerability scans. The analysis focuses on critical Microsoft patches published in the second half of 2008 to reduce the initial dataset.
 
Within the 20+ patches we can clearly see three distinct groups with different occurrence profiles:
 

• The first group contains the major Windows operating system and Microsoft Office vulnerabilities, with Office being the clear leader with a frequency of up to 25 % more than Windows OS patches.
• The second group are less frequently installed components in both Windows and Office, such as Office document filters (i.e. MS08-044) or VB runtime components (MS08-070) – they have less than 30% of the occurrence frequency of the first group.
• At a distant third, we see vulnerabilities in specialized parts of the operating system – the SNA communications connector (MS08-059) and the Windows Media encoder (MS08-053). These make up less than 2% of the overall mix.
• As a general trend, after about 30 days the majority of systems have the patches applied and the fix rate then slows down. This applies to all groups, even the comparatively low frequency group three follows this pattern of initial activity.
• On a side note group three also contains the only vulnerability that was limited to Windows Vista – MS08-075 – giving us an indication of the low numbers of deployed Vista installations in enterprises.