Today we released the fourth annual Microsoft Security Response Center (MSRC) Progress Report.  This report highlights advancements in various Microsoft information sharing initiatives that foster deeper industry collaboration, increase community-based defenses, and better protect customers.

This new report includes:

  • Updated Microsoft Security Bulletin statistics covering the past year
  • A behind the scenes look at what goes into an out-of-band security bulletin
  • Year over year progress within Microsoft initiatives including the Microsoft Active Protections Program (MAPP), Microsoft Exploitability Index, and Microsoft Vulnerability Research (MSVR)
  • An update on the Microsoft BlueHat Prize Contest announced last year
  • Results of a study on the efficacy of the Enhanced Mitigation Experience Toolkit (EMET)

Some of the key findings include:

  • During the 12 months ending June 2012, Microsoft released a total of 90 security bulletins to address 203 individual vulnerabilities.

Figure: Bulletins issued and CVEs addressed, 1H07–1H12

  • Of the vulnerabilities addressed by Microsoft from July 2011 to June 2012, 50.0 percent could allow remote code execution by an attacker, down from 62.8 percent during the previous 12-month period.

Figure: Percent of vulnerabilities affecting Microsoft products with potential remote code execution, July 2007–June 2012

  • The 90 security bulletins Microsoft published from July 2011 to June 2012 resulted in 190 Exploitability Index ratings.

Figure: Microsoft Exploitability Index ratings, July 2011–June 2012

  • An examination of different possible deployment scenarios illustrates how the Exploitability Index can help save organizations money and allow them to better allocate resources, asseen in the table below.

Figure: Security bulletin deployment events under different scenarios, June 2011–June 2012

  • Since July 2011, Microsoft Vulnerability Research has identified and responsibly disclosed 96 different software vulnerabilities affecting a total of 39 vendors.
  • Use of Coordinated Vulnerability Disclosure (CVD) increased to a new high during the period from July 2011 through June 2012. Of the vulnerabilities disclosed to Microsoft, 91 percent were reported using CVD, up from 84 percent during the previous 12-month period.

Figure: Vulnerability disclosures affecting Microsoft products, July 2006–June 2012

There is a lot more new information included in the report.  I encourage you to download the full report available here.

Tim Rains
Director, Trustworthy Computing