Just hours after releasing the advance notification for May’s Patch Tuesday release , which consists of seven bulletins, Microsoft brought some closure to its biggest security threat of the year. RELATED: Microsoft’s MAPP reportedly hacked, RDP exploits coming sooner thanexpected In a post on its TechNet blog , Microsoft blamed March’s information leak in the Microsoft ActiveProtections Program (MAPP) that led to several threats against aRemote Desktop Protocol (RDP) vulnerability on Chinese partnercompany Hangzhou DPTech Technologies. “During our investigation into the disclosure of confidential datashared with our Microsoft Active Protections Program (MAPP)partners, we determined that a member of the MAPP program, HangzhouDPTech Technologies Co., Ltd., had breached our non-disclosureagreement (NDA),” Yunsun Wee, director of Microsoft TrustworthyComputing, wrote in the blog post. “Microsoft takes breaches of ourNDAs very seriously and has removed this partner from the MAPPProgram.” The breach, which came at the hands of hackers in China, grantedthe cybercrime community access to information to attack the RDPvulnerability before Microsoft customers were given the informationneeded to patch it. Wee added that Microsoft “took actions tobetter protect our information,” while senior program managerMaarten Van Horenbeeck provided more visibility into the inner workings of MAPP.
Given the relatively light load of security bulletins, Microsoftchose an opportune time to close the book on March’s securityscare. Three of the seven bulletins were rated critical, the mostinteresting of which was Bulletin 1’s critical patch for Office,Qualys CTO Wolfgang Kandek says. Threats against Office typically require the user to open a filecontaining a malicious program, Kandek says. Microsoft hastraditionally been more prone to issue the “important” rating tothreats that involve user interaction, he added, making thismonth’s critical bulletin “kind of interesting.” Marcus Carey, security researcher at Rapid7, speculated that theOffice vulnerability patched with Bulletin 1 “is an underlyingissue on how it processes data.” Citing the recent phishing attacksagainst Mac systems, Carey says threats coming through Microsoftproductivity software are “becoming a recurring theme fororganizations and end users because it’s primed for phishingattacks.” Beyond that, the remaining two critical patches will attract themost attention, primarily because they address vulnerabilities in Windows versions XP through 7, Carey says.
“This means that all organizations and the entire user base will beaffected by these critical bulletins,” Carey says. The other four bulletins were all rated important. Bulletins 4 and5 address remote code execution vulnerabilities in Office, whilebulletins 6 and 7 address elevation of privilege in Windows Vistaand Windows 7. With seven bulletins in April, Microsoft’s total bulletins for 2012rises to 35, compared to the 36 issued by the same point last year.Interestingly, Microsoft’s release schedule has been far moreconsistent than in years past. From January through May 2012, thetotal number of Patch Tuesday bulletins issued in a single monthhas dipped as low as six and risen only as high as nine. Aluminium Composite Signs
In thesame period last year, those totals ranged from two in both Januaryand May to 12 in February and 17 in April. This trend shows a sign of stability in Microsoft research andmakes the jobs of systems administrators much easier, Kandek says. “I’m not sure how they do this internally in terms of planning, butit seems to me going to a more steady stream is a sign of maturity,and from my systems administration perspective I prefer that thanevery two months getting something bigger,” Kandek says. “Ipersonally prefer a steady stream coming out. Mirror Finish Aluminum Sheet Manufacturer
I can deal with thatbetter, rather than things where suddenly my capacity is stretchedmore.” Andrew Storms, director of security operations for nCircle, alsotook note of Microsoft’s continued move away from the “feast andfamine” approach of last year. However, the number of bulletins isless relevant than the number of common vulnerabilities andexposures (CVEs), Storms says, and the security community shouldput more focus on Microsoft’s increase in that area this year. “Bulletin numbers don’t tell the whole patch story,” Storms says.”CVEs correspond to the number of bugs fixed, and this yearMicrosoft is on a CVE streak. With the 23 CVEs in May’s patch,Microsoft’s CVE count has already reached 70 for 2012. This timelast year Microsoft issued just 59 CVEs.” Colin Neagle covers emerging technologies, privacy and enterprisemobility for Network World. China Rolled Aluminum Plate
Follow him on Twitter @ntwrkwrldneagleand keep up with the Microsoft, Cisco and Open Source communityblogs. Colin’s email address is email@example.com. Read more about software in Network World’s Software section.