Summaries from previous months:

When I do analysis and reports on Microsoft products, I typically look for where the Security Development Lifecycle (SDL) has helped to provide improvement and provide some stats on that.  This year, I decided to try and do this monthly to make it easier for me that when I do it all at once.

This report is my attempt to capture and share that information.  I hope you find it useful.

February Summary

First, here is a summary of the 8 vulnerabilities addressed in February, which were addressed in a five updates (MS09-002, MS09-003, MS09-004, and MS09-005). 

Vulnerability Any Windows SDL Benefit Comment Non-Windows Product
CVE-2009-0075 C-NA Reduced severity (IE-ESC), Modularity IE-ESC on Servers, No IE on Core  
CVE-2009-0076 C-NA Reduced severity (IE-ESC), Modularity IE-ESC on Servers, No IE on Core  
CVE-2009-0098   none   Exchange 2000, 2003, 2007
CVE-2009-0099   Fewer vulns No vuln in ExCh2007 Exchange 2000, 2003
CVE-2008-5416 I none Affects all versions equally - Important SQL, WMSDE, Wyukon
CVE-2009-0095   none Affects all versions equally - Important Visio 2000, 2003, 2007
CVE-2009-0096   none Affects all versions equally - Important Visio 2000, 2003, 2007
CVE-2009-0097   Fewer vulns No Vuln in Visio 2007 - Important on others Visio 2000, 2003

Four of the eight vulnerabilities fixed in February had some level of SDL Benefit.  Only 3 of the 8 vulnerabilities affected a Windows platform:

  • MS09-002, the IE update, addressed two vulnerabilities
  • MS09-004, the SQL update, addressed one vulnerability
    • Note that WMSDE ships with WS2003 to support UDDI
    • Note the WYukon ships with WS2008 (and Core) to support various services

Though I am primarily focusing on Windows components in this monthly summary, I do note that the 2007 versions of both Exchange and Office had fewer vulnerabilities compared with earlier releases.

SDL Vulnerability Benefit

This section summarizes the vulnerabilities and any corresponding SDL benefit for Windows and Windows components.  Because of interest in browsers, I’ll also break out Internet Explorer separately.

Internet Explorer

Product Vulnerabilities Not Affected Lesser severity
Any IE 2    
IE6, all 0 2 0
IE7, XP or Vista 2 0 0
IE7, WS2003 or WS2008 2 0 2
IE7 WS2008 Core 0 2 0

Windows (including IE)

Product Vulnerabilities Not Affected Lesser severity
Any Windows 3    
Windows XP SPx 2 1 0
Windows Vista 2 1 0
Windows Server 2003 3 0 2
Windows Server 2008 3 0 2
WS2008 Core 1 2 0

  Here is the key for this table:

  • The first (non-header) row counts all vulnerabilities that affected any version of Windows – 3 this month. 
  • For each product row, the second column counts how many affected that product and the third column reflects how many did not affect that version – column 2 and 3 should always add up to the total from the first row (3 this month). 
  • The last column counts how many vulnerabilities had the severity mitigated to some degree.
  • The numbers in parentheses are the deltas from last month

For products where different versions of built-in applications could be installed (e.g. IE6 or IE7), I am taking the worst cast value and counting when any of the versions are affected.

Update Scenarios

I also want to take a look at how updating is impacted or not.  It is likely that two versions may have the same number of updates, though each mitigates differing numbers of vulnerabilities or different levels of risk.  (For example, a single update might address one Moderate issue on WS2008 while the same update addresses two Critical issues on WS2003).

Companies have differing patch policies, so for the sake of illustration, I am going to assume a very simple update policy:

  • Critical or Important – will be rolled out immediately
  • Moderate or Low – will be deferred until a periodic roll-up update (perhaps annual or semi-annual)

Internet Explorer

Product Updates Deployed Deferred
Any IE 1    
IE6, all 0 0 0
IE7, XP or Vista 1 1 (2C) 0
IE7, WS2003 or WS2008 1 0 1 (2M)
IE7, WS2008 Core 0 0 0

Windows (including IE)

Product Updates Deployed Deferred
Any Windows 2    
Windows XP SPx 1 (2C)  
Windows Vista 1 (2C)  
Windows Server 2003 2 (1I) (2M)
Windows Server 2008 2 (1I) (2M)
WS2008 Core 1 (1I)  

Using this table, I’ll look at two fictional company scenarios:

  • Company A:  Has a Windows XP and Windows Server 2003 environment
  • Company B:  Has a Windows Vista and Windows Server 2008 environment
  • Company C:  Has a Windows XP, Vista, Server 2003 and Server 2008 environment
  • Company D:  Uses only servers implemented using Windows Server Core.

Company A has to (potentially) roll out one update for all client machines in February (if IE7 is deployed) and one update for server machines.

Company B has to roll out one update for all client machines in February and one update for server machines.

Company C has to roll out one update for all client machines in February and one update for server machines.

Company D has to roll out one update for its Windows Server Core machines.

 

2009 Year-to-Date Summary

In addition the the monthly summary, I am going to try and keep a running count of the year-to-date values as well.  I am doing the math in these table by hand and I am trying to be careful, but I apologize in advance for the errors I will likely make before the end of the year.  Point them out and I’ll correct them ;-)

SDL Vulnerability Benefit (YTD)

Looking at the tables below, I find some interesting key points already after February:

  • Out of 6 possible Windows vulnerabilities,
    • Windows Vista - two have not affected Windows Vista and one additional one had a reduced severity.
    • Window Server 2008 – 1 did not affect Windows Server and 3 additional had a reduced severity.
    • Windows Server Core (WSC) – 3 did not affect WSC and one additional had a reduced severity, meaning that 66% of possible Windows vulnerabilities either didn’t affect or had reduced severity on WSC.

Internet Explorer

Product Vulnerabilities Not Affected Lesser severity
Any IE 2 (+2)    
IE6, all 0 2 (+2) 0
IE7, XP or Vista 2 (+2) 0 0
IE7, WS2003 or WS2008 2 (+2) 0 2
IE7 WS2008 Core 0 2 (+2) 0

Windows (including IE)

Product Vulnerabilities Not Affected Lesser severity
Any Windows 6 (+3)    
Windows XP SPx 5 (+2) 1 0
Windows Vista 4 (+2) 2 (+1) 1
Windows Server 2003 6 (+3) 0 2 (+2)
Windows Server 2008 5 (+3) 1 3 (+2)
WS2008 Core 3 (+1) 3 (+2) 1

Here is the key for this table:

  • The first (non-header) row counts all vulnerabilities that affected any version of Windows – 6 this year. 
  • For each product row, the second column counts how many have affected that product and the third column reflects how many have not affected that version – column 2 and 3 should always add up to the total from the first row (6 this year).
  • The last column counts how many vulnerabilities had the severity mitigated to some degree.
  • The numbers in parentheses are the deltas from last month’s cumulative totals.

Update Scenarios (YTD)

Looking at the Update deployment summary (below) compared to the vulnerability summaries (above), there are some interesting observations:

  • Windows Vista, Windows Server 2008 and Windows Server Core did not have to immediately roll out 2/3 of the Updates so far this year.  This is a solid benefit.
  • Though the same number of Updates were “applicable” for some different versions, the severity policies as applied resulted in fewer being deployed immediately in some cases.

Windows (including IE)

Product Updates Deployed Deferred
Any Windows 3    
Windows XP SPx 2 (2C1M)(2C) 0
Windows Vista 2 (2C) (2M)
Windows Server 2003 3 (2C1M)(1I) (2M)
Windows Server 2008 3 (1I) (2M)(2M)
WS2008 Core 2 (1I) (2M)

Using this table, I’ll look at two fictional company scenarios:

  • Company A:  Has a Windows XP and Windows Server 2003 environment
  • Company B:  Has a Windows Vista and Windows Server 2008 environment
  • Company C:  Has a Windows XP, Vista, Server 2003 and Server 2008 environment
  • Company D:  Uses only servers implemented using Windows Server Core.

Company A has rolled out a total of three updates (out of 3 possible) year-to-date – one on clients, one on servers and one on both.  One browser update could be deferred for server machines.

Company B has rolled out a total of two updates (out of 3 possible) year-to-date – one on clients and one on servers.  One update could be deferred.  Additionally the browser update could be deferred for server machines.

Company C has rolled out a total of three updates (out of 3 possible) year-to-date.

Company D has rolled out one update (out of 3 possible) year-to-date.  One update did not apply to Windows Core and the other could be deferred because of reduced severity.

________________________________

 

Regards ~ Jeff