Patch Craze To Continue In 2007

With Microsoft's 2006 total breaking previous records of both the number of security updates issued and the number of critical vulnerabilities patched, it may come as a shock that 2007 will likely meet or beat those figures.

"Although Microsoft is fixing a lot more of its vulnerabilities faster than in the past, we'll see the trend continuing [of more updates]," says Chris Andrew, the VP of security technologies at patch management vendor PatchLink Corp. "Vista will still have security vulnerabilities."

The cycle of vulnerability disclosure-exploit-patch that's accelerated in 2006, adds Andrew, will also continue next year. "With two [Microsoft Word] zero-day threats still active and no patches in sight, December is a preview of what's to come in 2007," Andrew says. And according to a survey released by PatchLink on Wednesday, almost 70% of companies expect foresee an increase in zero-day threats during 2007.

But Gunter Ollmann, the director of IBM's Internet Security Systems (ISS) X-Force threat research team, predicts that Windows Vista, or even Microsoft overall, won't be the big bug-fixer early in the year.

"Every vendor under the sun will be launching program updates in the first couple of months for Vista," says Ollmann. Naturally, new software will lead to new bugs being found, and necessary patches prepared and deployed.

But 2007 will have to work hard to beat this year's numbers. According to security vendor McAfee, Microsoft during 2006 patched 133 vulnerabilities pegged as "critical" or "important," the top two rankings in the Redmond, Wash., developer's four-step system of scoring threats. That was almost double the number patched in 2005.

Overall vulnerabilities are also up, adds Ollmann, but less dramatically. ISS, he says, "just counted the 7,000th vulnerability of the year." However, during 2005, there were approximately 5,000 flaws tallied by ISS.