Microsoft Report: More Software Threats but Fewer Flaws
Studying the overall software security landscape for the first half of 2008, Microsoft has reported a general decrease in vulnerabilities. However, malware itself is on the rise. In addition, makers of malicious software have continued to target applications rather than operating systems, according to Microsoft.
Microsoft (Nasdaq: MSFT) on Monday released its Security Intelligence Report (MSIR), which covers the first half of 2008. The report, according to the software maker, is an in-depth look at the overall software security threat environment. It’s based on data received from hundreds of millions of computers around the globe.
During the first half of 2008, the report found, software makers and security vendors made significant inroads in protecting their customers from malicious threats. As a result, reports of vulnerabilities have gone down.
That said, however, the actual threat posed by cyber criminals and malware continues to grow.
“The boost in malware just goes to show that vulnerabilities and malware/exploits do not follow a direct relationship, despite the fact that malware and exploits are based on security vulnerabilities. Tracking the number of reported vulnerabilities shows the efforts of the security community to thwart attacks. Tracking the malware and exploits shows the efforts of hackers and cyber criminals,” Chris Rodriguez, a Frost & Sullivan analyst, told TechNewsWorld.
A Vulnerable Place
The MSIR shows that malware and potentially unwanted software removed from PCs worldwide increased more than 43 percent in the first half of 2008. While both Trojan downloaders and high-severity vulnerabilities rose sharply — from just about 15 percent of all unwanted software in the second half of 2007 to more than 30 percent in 2008 — worms, backdoors, password stealers and monitoring tools dropped significantly, from 15 percent to 10 percent.
Despite differences in the methodologies used by Microsoft and Frost & Sullivan, Rodriguez said that Microsoft’s findings are very similar to what his research firm has found.
“The number of total vulnerabilities reported climbed steadily and peaked in early 2007. The total reported decreased each quarter until early 2008, at which point our research showed a slight increase. Most notably, our research showed the same drastic increase in threat severity in mid-2007,” he said.
“In Q3 of 2007, 63 percent of reported vulnerabilities were rated as high severity, and low severity vulnerabilities accounted for only 3 percent of total vulnerabilities. This jump coincides with the release of the new version of the Common Vulnerability Scoring System, which was meant to more accurately portray the security and threat landscape,” he continued.
Apps at Risk
Microsoft’s report suggests that online attackers continue to shift focus away from the operating system and toward applications. In the first six months of 2008, nine out of 10 newly reported vulnerabilities affected applications; the rest aimed at OSes.
Even so, Rodriguez said, vulnerabilities are not necessarily the right way to measure the actual security of an application. “Every application has a set number of vulnerabilities depending on how big and complex it is. When it comes down to it, they are developed by humans and lower numbers of reported vulnerabilities are simply less tested,” he explained.
Compared to Windows Vista, XP is a little more tested, he said. “That’s why a lot of enterprises are sticking with that and haven’t made the jump [to Vista]. That vulnerabilities have been decreasing and malware has been increasing points to a shift from hackers trying to hack these very ubiquitous applications to more Web-based application attacks is because these are largely untested.”
As more companies deploy business critical applications online in order to make their services available to customers 24/7, concern over their relative security grows. Whether an app is developed and deployed in-house or outsourced to a third party, inadequate security testing is a problem.
“They represent a dangerous attack vector. It’s the availability. These Web applications have to be available to the public 24/7 and are tied to back-end systems with sensitive data and servers and critical infrastructurethat an attacker might not be able to get to otherwise,” Rodriguez noted.