News

Microsoft: Software More Secure, but Malware Is Growing Threat

The number of software vulnerabilities in the first half of 2008 dropped 4 percent compared with the previous six months and a respectable 19 percent from the first half of 2007.

• By William Jackson
• November 3, 2008

The number of software vulnerabilities reported in the first half of this year continued a year-old downward trend, dropping 4 percent compared with the previous six months and a respectable 19 percent from the first half of 2007, according a report released today by Microsoft Corp.

But this is not time to relax your guard. The amount of malicious code and other unwanted software being removed from computers jumped a whopping 43 percent in the first half of the year compared with the previous six months.

Part of that jump is attributed to the wider use of clean-up software that produced the data, said Microsoft principal engineer Jimmy Kuo. But when normalized for distribution the figures still show a 23 percent increase in unwelcome code, he said. The prevalence of Trojan downloaders and droppers, which have been the dominant type of malicious code encountered for the last year, is evidence of a continuing trend toward use of botnets for organized crime, he said.

The report is the fifth biannual Microsoft Security Intelligence Report and covers the period from January though June of this year. It contains data on the complete spectrum of vulnerabilities, exploits and threats, not just Microsoft software.

"There were no real surprises in the report," Kuo said. "We were gratified to see continued downward trends. For the most part, everything went for the better," although the jump in malicious and unwanted code was an exception.

There also was a jump in the percentage of vulnerabilities rated as severe during the period covered as compared to the preceding six months, but the 13 percent figure still was lower than in the first half of 2007. Of more concern to Kuo was the increase in the number of vulnerabilities requiring a low level of complexity to exploit. But hackers seem to be unable to reliably exploit even simple vulnerabilities. According to the report, only slightly more than 10 percent of the simple vulnerabilities had publicly available exploit code that would consistently work. "The rest were either unreliable or ineffective," it said.

Figures show a continued trend of attacks moving away from operating systems and to applications. More than 90 percent of vulnerabilities disclosed from January through June were for applications.

Microsoft is claiming improvements in the security of its latest operating system, Windows Vista. The report says that 42 percent of all browser-based attacks on machines running Windows XP targeted vulnerabilities in Microsoft products. On Vista machines, only 6 percent of attacks targeted Microsoft vulnerabilities.

Kuo said the trend holds true for all service pack versions of both operating systems and that the 64-bit version of Vista had fewer Microsoft vulnerability attacks than the 32-bit version.

"This demonstrates how the latest Microsoft products and technologies appear to be at less risk from publicly available exploit code than earlier products," the company said in a statement. Kuo attributed the improvements to Microsoft's use of a secure development lifecycle process.

An interesting finding in the report is the unique threat profile for different countries. In the United States, Trojan downloaders such as Win32/Zlob account are by far the largest single category of threat. In Brazil, it is password stealers such as Win32Bancos that dominate with a 60 percent market share. China is dominated by adware, Italy by unwanted peer-to-peer software, Korea by viruses and Spain by worms.

The distinct profiles reflect the characteristics that hackers and criminals are targeting in each country, Kuo said. Brazil has the highest per-capita level of online banking, so phishing and password stealing is big there. Korea is one of the most highly connected countries, so viruses spread more easily in that environment.

The report recommends some common-sense steps for defending yourself online:

• Check for and apply software updates on an ongoing basis, including updates provided for third-party applications.
• Enable a firewall.
• Install and maintain up-to-date anti-virus and anti-spyware programs.
• Uninstall software you don't actively use. Malicious code can exploit vulnerabilities in software whether you use it or not.
• Avoid browsing to sites that you do not trust.
• To avoid attacks that rely on administrative user rights, enable User Account Control in Vista, or log in with a user account that does not have administrative user rights.
• Read e-mail messages in plain text format to help protect yourself from the HTML e-mail attack vector.