Microsoft: Software More Secure, but Malware Is Growing Threat
The number of software vulnerabilities in the first half of 2008 dropped 4 percent compared with the previous six months and a respectable 19 percent from the first half of 2007.
- By William Jackson
- November 3, 2008
The number of software vulnerabilities reported in the first half of this year
continued a year-old downward trend, dropping 4 percent compared with the previous
six months and a respectable 19 percent from the first half of 2007, according
a report released today by Microsoft Corp.
But this is not time to relax your guard. The amount of malicious code and
other unwanted software being removed from computers jumped a whopping 43 percent
in the first half of the year compared with the previous six months.
Part of that jump is attributed to the wider use of clean-up software that
produced the data, said Microsoft principal engineer Jimmy Kuo. But when normalized
for distribution the figures still show a 23 percent increase in unwelcome code,
he said. The prevalence of Trojan downloaders and droppers, which have been
the dominant type of malicious code encountered for the last year, is evidence
of a continuing trend toward use of botnets for organized crime, he said.
The report is the fifth biannual
Microsoft Security Intelligence Report and covers the period from January though
June of this year. It contains data on the complete spectrum of vulnerabilities,
exploits and threats, not just Microsoft software.
"There were no real surprises in the report," Kuo said. "We
were gratified to see continued downward trends. For the most part, everything
went for the better," although the jump in malicious and unwanted code
was an exception.
There also was a jump in the percentage of vulnerabilities rated as severe
during the period covered as compared to the preceding six months, but the 13
percent figure still was lower than in the first half of 2007. Of more concern
to Kuo was the increase in the number of vulnerabilities requiring a low level
of complexity to exploit. But hackers seem to be unable to reliably exploit
even simple vulnerabilities. According to the report, only slightly more than
10 percent of the simple vulnerabilities had publicly available exploit code
that would consistently work. "The rest were either unreliable or ineffective,"
Figures show a continued trend of attacks moving away from operating systems
and to applications. More than 90 percent of vulnerabilities disclosed from
January through June were for applications.
Microsoft is claiming improvements in the security of its latest operating system,
Windows Vista. The report says that 42 percent of all browser-based attacks on
machines running Windows XP targeted vulnerabilities in Microsoft products. On
Vista machines, only 6 percent of attacks targeted Microsoft vulnerabilities.
Kuo said the trend holds true for all service pack versions of both operating
systems and that the 64-bit version of Vista had fewer Microsoft vulnerability
attacks than the 32-bit version.
"This demonstrates how the latest Microsoft products and technologies
appear to be at less risk from publicly available exploit code than earlier
products," the company said in a statement. Kuo attributed the improvements
to Microsoft's use of a secure development lifecycle process.
An interesting finding in the report is the unique threat profile for different
countries. In the United States, Trojan downloaders such as Win32/Zlob account
are by far the largest single category of threat. In Brazil, it is password
stealers such as Win32Bancos that dominate with a 60 percent market share. China
is dominated by adware, Italy by unwanted peer-to-peer software, Korea by viruses
and Spain by worms.
The distinct profiles reflect the characteristics that hackers and criminals
are targeting in each country, Kuo said. Brazil has the highest per-capita level
of online banking, so phishing and password stealing is big there. Korea is
one of the most highly connected countries, so viruses spread more easily in
The report recommends some common-sense steps for defending yourself online:
- Check for and apply software updates on an ongoing basis, including updates
provided for third-party applications.
- Enable a firewall.
- Install and maintain up-to-date anti-virus and anti-spyware programs.
- Uninstall software you don't actively use. Malicious code can exploit vulnerabilities
in software whether you use it or not.
- Avoid browsing to sites that you do not trust.
- To avoid attacks that rely on administrative user rights, enable User Account
Control in Vista, or log in with a user account that does not have administrative
- Read e-mail messages in plain text format to help protect yourself from
the HTML e-mail attack vector.
William Jackson is the senior writer for Government Computer News (GCN.com).