Active Directory is typically a critical application for businesses. It keeps track of all the user accounts, and it is not usually exposed to the Internet. But the administrator still should remain diligent in keeping it patched.
"If someone breaks into your network, Active Directory may be the first thing they will try to attack," Sarwate said.
Thus far this year, Microsoft has issued 105 bulletins, and Qualys estimates that number to hit 145 by the end of the year. This is up from years past. In 2014, Microsoft issued 106 bulletins and 100 in 2011. (Those issues that Microsoft finds internally are typically not publicized and instead are patched with routine updates before attackers find out about them.)
"I don't think software is becoming any more vulnerable," Kandek said. Rather a rising number of vulnerabilities stems from more third party researchers and attackers finding problems, coupled with the growing numbers of different products, versions and platforms that products run on.
"It's a good indicator for how important security is becoming," Kandek said.
Sign up for CIO Asia eNewsletters.