Microsoft patched 190 exploits in 2009

Microsoft posted a total of 74 bulletins in 2009 which patched 190 exploits in their operating systems and software. June was the biggest patch month, offering a total of 10 bulletins and 31 exploits patched, while January only had 1 bulletin posted which fixed 3 exploits.

Microsoft posted 44 critical bulletins, their highest security rating, and 27 important bulletins in 2009. 3 of the bulletins were marked as moderate and there were no low security bulletins posted. From the 74 bulletins posted in 2009, 132 exploits were labeled as critical, 53 important and 5 moderate.

Microsoft posted a total of 55 Remote Code Execution bulletins in 2009, 5 Denial of Service, 3 Spoofing, 10 Elevation of Privileges and 1 information disclosure. Those 74 security bulletins patched a total of 157 Remote Code Execution exploits, 7 Denial of Service, 7 Spoofing, 18 Elevation of Privileges and 1 information disclosure were patched.

Windows Server 2003 was labeled as the most insecure piece of Microsoft software, with a total of 34 exploits patched. Windows Server 2008 and Windows XP both received a total of 30 exploits, with Windows Vista and Windows 2000 following closely behind with a total of 26 exploits patched. Windows 7 only had 1 bulletin, patching 3 exploits in 2009.

Internet Explorer 6 had a total of 7 exploits patched in 2009, with IE5 and IE7 right behind with a total of 6. Internet Explorer 8 only had 4 exploits released in 2009.

Office 2003 had the most exploits patched in 2009 with 13. Office XP saw a total of 11 exploits patched with Office 2007 following behind with 10. Office 2000 had the least amount of patches with a total of 8 exploits patched.

Office 2004 and Office 2008 for Mac both had 6 exploits patched in 2009.

Report a problem with article
Previous Story

Mozilla pushes back Firefox 3.6 and 4.0, 3.7 in the works

Next Story

Psystar's new method of income: T-shirts

40 Comments

Commenting is disabled on this article.

How many software products then? I can recall several times when every Office app was patched along with several Viewers. I expect that every time a vulnerability is found, Security scrubs similar products for similar code, because code sharing was the hallmark of early Microsoft software development.

Windows 2000, XP, Vista, 7, Server 2000, 2003, 2008, Office 2000, XP, 2003, 2007, Office Mac 2004 & 2008, .NET Framework, and a variety of other Microsoft branded software products.

There was roughly 10 components of related OS, Office and other software too that was patched.

Andrew Lyle said,
Windows 2000, XP, Vista, 7, Server 2000, 2003, 2008, Office 2000, XP, 2003, 2007, Office Mac 2004 & 2008, .NET Framework, and a variety of other Microsoft branded software products.

There was roughly 10 components of related OS, Office and other software too that was patched.

Visual Studio, Silverlight, Windows Live apps to

Since we have the math expert here, I have a math question. Are these 190 exploits, or 74 exploits that occurred in 190 different software products?

rdmiller said,
Since we have the math expert here, I have a math question. Are these 190 exploits, or 74 exploits that occurred in 190 different software products?

They are 74 bulletins that address 190 exploits and it wasn't 190 different software products.

Everything needs patching, it was made by humans and none of us are perfect. I wish MS were not so quick to point out other companies flaws, it only leads to others showing them theirs.

Yeah, I always like how all of Microsoft's updates have one of maybe 3 canned descriptions... lol But even what was listed here wasn't all that informative... Oh well...

No offense, but this article sucks. Probably not Andrew's fault. Garbage in, garbage out, most likely.

But the number of patches issued or flaws fixed is not a very good metric, at all. With an article source, we would at least be able to possibly delve into the data more deeply. Find out the severities (more than just the corporate summary listed, and actually look per-product). Look at the time to patch. Identify the known unpatched items.

Declaring "Windows Server 2003 the most insecure piece of Microsoft software" based solely on the number of issues patched is absurd.


I am all for patches and updates, and have never berated ANY company or group for patching flaws (regardless of the amount of patches). Microsoft patching these is a GOOD THING ™. Same as when Apple patches, Linux patches, Adobe patches, or whatever.

Exactly... I thought we were over this mental fallacy by now.

It's always better to have more fixes than a company who're more relaxed about it. Sure, it's all good if there were few security holes to begin with, and therefore also few fixes, but this article and these statistics tell nothing about that. At all.

Yep, patching flaws is good, and although I agree that number of patches alone is a poor metric tp judge by, the numbers do suggest that they have done an excellent job with security in Vista and Windows 7

markjensen said,
No offense, but this article sucks. Probably not Andrew's fault. Garbage in, garbage out, most likely.

But the number of patches issued or flaws fixed is not a very good metric, at all. With an article source, we would at least be able to possibly delve into the data more deeply. Find out the severities (more than just the corporate summary listed, and actually look per-product). Look at the time to patch. Identify the known unpatched items.

This brings up *again* a very good point I have been trying to make the last several months. Neowin gets these stories from elsewhere and then reports on them here. But they do not list sources (Which is ridiculous). When the readers tear apart a news story for inaccuracy, poor grammar, or strange assumptions or conclusions, they then run back and point to the original source as it isn't "Neowin's fault"... But why wouldn't you just list the source in the first place? In news reporting, isn't this kind of expected when you rip a story anyway?

markjensen said,
Declaring "Windows Server 2003 the most insecure piece of Microsoft software" based solely on the number of issues patched is absurd.

I agree. I thought that was rather silly as well.

markjensen said,
I am all for patches and updates, and have never berated ANY company or group for patching flaws (regardless of the amount of patches). Microsoft patching these is a GOOD THING ™. Same as when Apple patches, Linux patches, Adobe patches, or whatever.

Agreed. Good post.

M_Lyons10 said,
This brings up *again* a very good point I have been trying to make the last several months. Neowin gets these stories from elsewhere and then reports on them here. But they do not list sources (Which is ridiculous). When the readers tear apart a news story for inaccuracy, poor grammar, or strange assumptions or conclusions, they then run back and point to the original source as it isn't "Neowin's fault"... But why wouldn't you just list the source in the first place? In news reporting, isn't this kind of expected when you rip a story anyway

Andrew simply complied a list on his own. His sources were the security bulletins MS released this year. There's your source.

All articles on Neowin are sourced, unless the content is original.

Would you like Andrew to list all the 190 links to the patches as sources?

I'd like to know why people have to read so much into any thing that's printed. The story was not meant to be a scientifically proven fact or anything. There is absolutely no reason to even want to or need to delve into the data more deeply.

Who cares (to much) about the grammar or little nit picking things like that? Should be plenty used to that just from reading some of the illiterate posts on this forum!

Being that this is just a generalized story about updates and security, I think this line says it all, "Declaring "Windows Server 2003 the most insecure piece of Microsoft software," based solely on the number of issues patched is absurd. From that stand point, it is the most insecure.

cork1958 said,
...
Being that this is just a generalized story about updates and security, I think this line says it all, "Declaring "Windows Server 2003 the most insecure piece of Microsoft software," based solely on the number of issues patched is absurd. From that stand point, it is the most insecure.

That makes no sense at all. It is an arbitrary statistic that is non-proportional with product security. Much like the old "kloc" (kilo-lines of code). If I pointed out how software that was larger was more insecure because it was larger, that would be absurd.

If you really believe that the number of patches issued to close holes determines the insecurity of a product, you would be mistaken, and have no line of reasoning to support that conclusion. Try it. You cannot build a logical case.

I dunno, why couldn't you? If you look at the overall life of say, the first year of XP vs the first year of Vista vs the first year of win7, and see that the number of bugs/holes found and patched has been tracking lower and lower, then isn't it safe to say that the newer OS's are indeed safer than the older ones? Or at least safer from the get go.

GP007 said,
I dunno, why couldn't you? If you look at the overall life of say, the first year of XP vs the first year of Vista vs the first year of win7, and see that the number of bugs/holes found and patched has been tracking lower and lower, then isn't it safe to say that the newer OS's are indeed safer than the older ones? Or at least safer from the get go.

For "holes found", you have a good start. But this count has nothing to do with counting total advisories. Just patches issued. You really are missing half of the important information.

thealexweb said,
Very curious to see how many Apple released,not surprised they released even more than Microsoft

This is not really interesting. The interesting part is how many open bugs there are this minute in various products.

Many fixes don't automatically mean poor security. It can also mean that a company is leaving fewer security holes unfixed in their products than a competitor, which is a good thing.

If the rate at which they patch never slows down then they're either pushing bad patches, have a lot of holes, or constantly introduce new holes. None of this is good. What you'd want is decreasing holes to patch.

Jugalator said,
This is not really interesting. The interesting part is how many open bugs there are this minute in various products.

Many fixes don't automatically mean poor security. It can also mean that a company is leaving fewer security holes unfixed in their products than a competitor, which is a good thing.

Which would apply to Microsoft as well, as they are also patching their software as they find things.

M_Lyons10 said,
Which would apply to Microsoft as well, as they are also patching their software as they find things.

Jugalator's post was speaking of all platforms. Not sure why you read it as excluding Microsoft in some sort of attack... :ermm:

Also, like Andrew mentioned in his post 5.4, this is a look at Microsoft's patches. I don't know why people are insisting that this be a thorough pan-platform comparison.