Microsoft set dubious record in 2009.

Microsoft set a dubious record in 2009. In the month of October, it released the most updates (13) to address the most vulnerabilities (34) in the history of the company.

Ironically, if all the updates released by the company during the year were ignored, a user would still have averted more than 70 percent of all attacks launched during the period–if he or she kept their Microsoft Word patches up to date through June 2006. That’s because, according to one researcher, 71 percent of all attacks in 2009 exploited a vulnerability in the company’s word processor that was patched three years ago. Another 13 percent of all attacks exploited a vulnerability on Microsoft Excel that was patched in March 2008.

Since one never knows what vulnerabilities will catch a cracker’s fancy, the wisest course of action is to install patches when they become available, but if you’ve fallen behind in that department, you may want to move the following patches to the top of your to-do list. According to security experts, they’re the most important ones released in 2009, although one was actually introduced in 2008.

One such patch fixes a flaw in the Active Template Library used to build ActiveX controls. ActiveX has long been a juicy target for malware writers because it can be used to automatically download malicious software. In this case, the vulnerability negates certain security patches previously released by Microsoft. This patch for Microsoft Visual Studio allows developers to produce programs with vulnerability-free code.

In 2009, information highwaymen boosted their efforts to compromise Adobe PDF files. Adobe has contributed to efforts to poison its products by acting slowly to address vulnerabilities in them. Last year, the company emulated Microsoft’s action by releasing a monster update aimed at 29 vulnerabilities. Implementing this patch now, though, will just be a stop-gap measure as the most recent Acrobat exploit won’t be tackled until Adobe’s next update expected to be released in January 12.

A vulnerability in Microsoft’s .NET framework was fixed by the company in its Internet Explorer software, but is still alive in its competition, Mozilla Firefox. The defect can be exploited to infect computers via a drive-by attack at some toxic web sites.

Another high priority patch addresses a vulnerability in Microsoft’s Server Message Block version two. Originally it was believed that the vulnerability to this file and printer sharing protocol only crashed a system when it was exploited, but researchers subsequently discovered that it could be used to hijack machines and add them to zombie networks.

The patch released in 2008 but named as a high priority update in 2009 by security experts plugs a hole that the Conficker worm feasted on in 2009. It enabled the malware to be one of the worst infestations of all time. It’s estimated that some seven million government, business and home computers in more than 200 countries are currently infected with the malevolent application.

In addition to being a banner year for security patches, 2009 also boasted two data breeches of historic proportions, according to the Office of Inadequate Security Web site.

The site ranks the top 10 data losses or breaches since 1973. At the top of the list is the break in at Heartland Payment Systems in January 2009. At that time, a cracker hacked into the company’s computers which rack up information for 100 million payment card transactions a month from some 175,000 merchants. Although the cyber bandits were able to break into Heartland’s system, the company said no merchant data, cardholder social security numbers or other sensitive information was involved in the breach. Later in the year, the U.S. Justice Department caught up to the miscreant behind the break-in, a 28-year-old cracker in Miami named Albert Gonzalez. Gonzalez has pleaded guilty to conspiring to hack into the computer networks of Heartland and other firms, including 7-Eleven and Hannaford Brothers Co., a supermarket chain in Maine. Gonzalez is scheduled to be sentenced in March 2010.

Another 2009 breach that broke into the top 10 list involved the National Archives and Records Administration. In that incident, the agency lost control of tens of millions of veterans records when it sent a malfunctioning hard drive to its manufacturer for repair. After determining the drive couldn’t be fixed, the manufacturer sent the drive to a another company for recycling. The agency has stated publically that it doesn’t believe that the information on the hard disk was compromised, but   an ongoing investigation of the incident is being conducted by a federal inspector general.