RSSMicrosoft security report points to downtrend in malware
By Scott M. Fulton, III | Published November 3, 2008, 2:44 PM
There's fewer reports of malware in the wild for the entire industry, Microsoft said this morning -- an indication, it says, that the security field is getting smarter. But once again, do undisclosed vulnerabilities simply not count?
In a more circumspect report than those the company published previously, Microsoft is saying today that the general trend toward malware distribution worldwide is continuing on a decline, and that Microsoft may be contributing to that decline through a reduction in Windows-targeted malware by more than one-third.
Once again, however, the company is basing its statistics on disclosures of vulnerabilities, often comparing them to disclosures for the rest of the industry. Non-Windows disclosures may have risen for any number of reasons, including possibly better vigilance among Linux and Mac OS users and supporters. Of course, it's difficult if not impossible to measure the effects of non-disclosed vulnerabilities; but on the other hand, some troubles are demonstrably more malicious than others.
That said, authors of the latest Microsoft Security Intelligence Report released yesterday are saying that the total number of reported vulnerabilities reported in all software (not just Microsoft) declined in the first half of 2008 by about 4% from the previous sampling period in the second half of 2007, and down 19% from the first half of 2007. However, judging from the breakdown of those reports, the percentage of reports with high severity ratings rose by (if one interprets the graph by eyeball) about 5%.
"While a 19 percent general decrease in disclosures from a year ago is generally considered good news, it can't really be considered 'good' for the industry when more than 15 new software vulnerabilities, on average, continue to be disclosed each day," reads the latest report. "At these levels, the need for software risk management programs continues to be high."
Microsoft's overall contribution to the number of vulnerability reports continues to trend down, states the MSIR, from nearly 10% of all cases during the second half of 2003 to less than 3% in the last six months.
What these numbers mask is the impact that some flaws may have on everyday users, compared against other flaws. On the one hand, the architecture behind last July's extremely critical DNS flaw had been publicly known for years. The formal report of the flaw itself, however, may have been counted as just one vulnerability among many for the first half of the year. Yet the actual impact of the flaw in this case was very minimal, since it did not appear to have been widely exploited to any great degree prior to the efforts of companies including Microsoft, working in conjunction with security researcher Dan Kaminsky.
Thus what might otherwise given someone leverage to cripple the entire Internet actually ended up a blip on the radar.
Today's MSIR report also comes clean on a point that was masked over at this time last year: Reports of vulnerabilities in Microsoft products in general rose very sharply during the second half of 2006 -- coincidentally, the time of Vista's volume license release -- only to begin a decline to about half as many today. But last year, the company was touting its relative integrity as much higher, on the basis of very few reports of holes in Windows XP and Vista, versus other operating systems.
Viewpoint depends on where you stand; and in that case, the company was apparently excluding the reality that the attack vectors have spread in such a way that malware targets applications rather than the OS specifically. Third-party software is becoming the attack vector of choice, and Microsoft was clearer about that point in today's report. During the first half of the year, it states, 42.3% of reports of browser-based exploits specifically targeted Windows XP, with the remainder targeting third-party software (conceivably Adobe Flash may be included in that bunch). By comparison, only 5.7% of reports of browser-based exploits on systems running Vista were for malware that actually targeted Vista specifically.
Again, this is not to say less malware targets Vista -- that would be an inaccurate conclusion, though Microsoft leaves the door open for those who wish to draw that conclusion. Rather, there are fewer reports of such incidents, which is an indication that attempts at exploiting Vista-based browsers are failing.
This season's report refrained from drawing blanket comparisons of Windows' relative safety compared to Mac OS or Linux, a subject which got Microsoft into hot water last year. It does compare versions of Windows to one another, with each successive version appearing to have fewer reports. However, while Vista SP1 seems to have slightly fewer reports than the original Vista RTM version for the first half of the year, SP1 only began distribution in late March.
In just the United States, the single most effective family of worms in the wild was the malicious IE-targeting Trojan Win32/Zlob, according to the MSIR report, with 5,427,360 infected computers -- more than double the amount of the #2 worm, adware Trojan Win32/Vundo.
besides all that most of the security holes in Windows are exploited via third party applications including rotten Apple's Quick time etc: http://blogs.zdnet.com/BTL/?p=10639
Here's something interesting from that page:
"Microsoft’s data confirms the findings of other security vendors such as Kaspersky. For instance, hackers are attacking Vista almost entirely through third party applications"
That's true!!
IE for Vista is very secure because it runs on isolation mode though I don't use IE, prefer Firefox over IE
Score: 0
|This only proves what I've been saying all along. Windows is your best, most intelligent, and really, only real choice when it comes to computing. Your hardware, Your software, Your ability to Choose.
Any other platform is hamstrung by hardware lock-in, software lock-in, or a complete and utter lack of any form of commercial support.
Windows 7 will only improve on the legacy that started with Windows Vista. Security, and reliability. Truly smart computing.
Oh, and get out the Vote today, folks. I am voting for Bill Gates, obviously, for every office. I urge you all to do the same.
Score: 0
|Yup I agree :P (Nice side of I7 :P)
Now why don't you answer my question that you had left over w/o answering from my post (Windows vs Mac OS X): http://www.betanews.com/..._learn_today/1225564999
The CrapMacFan7 side of yours couldn't answer my question :P
Scroll down to see my posts :P
Score: 0
|Hell yea!
Score: 0
|Of course Malware reports are down... more people than ever are switching to Macs.
Score: 0
|Lol! Whatever helps you sleep at night. Who am I to keep you from a good nights rest.
Score: 0
|/facepalm...there'll be an upward trend in malware for Mac soon then...
Score: 0
|Yes guys if you wanna be fool like I am with cool looking useless Macs then switch to expensive Macs. If you wanna get every thing done in one OS which offers more awesome features than Myahh OS X w/o the need to switch to another OS then switch to Windows and be cool just like more than 90% of the world wide computer users are.
Yours truly
Steve Jobs's gay partner :)
Score: 0
|Sorry, I feel I need to be more specific on this:
More people are switching to Macs and running Windows on them. Most of these new Macs are running Vista as well as Mac OSX, and if these users are at all intelligent, they spend most of their computer using time in the Best OS there is, on the Best Hardware there is; To whit: Windows Vista on a Mac PC.
Since Windows Vista is exponentially more secure than any other OS on the planet, you'd be crazy to do otherwise.
Score: 0
|Your first "I" is a capital. You fail. Go back to whatever hole you crawled out of, fake me.
Score: 0
|I agree with you I7 :P
Score: 0
|Your first "i" is small. You fail. Go back to whatever hole you crawled out of, fake me.
Score: 0
|Your lead sentence begins: "There's fewer reports of malware . . ."
That's simply illiterate - and on the most basic level, number agreement. Would you say, eliminating the contraction: "There is fewer reports of malware . . ."?
No, you would say, "There *are* fewer reports . . ."
Come on, guys - this is just *basic* English we're talking about.
Score: 0
|Wow what is up with everybody nitpicking! Does it really matter that much? That is a VERY small and a VERY easy mistake to make.
Score: 0
|Unless you actually know, like... English. ;)
Score: 0
|Yes, it matters.
Score: 0
|Eeh...I admit it's a little bit colloquial to say "There's fewer" or "there's more," but how many times have you, say, written in to an infomercial producer asking it to replace the phrase, "But wait! There's more!" with "There are more!"
You're right that it's technically not a subject/verb agreement. But we see cases where this slides all the time; biggest case in point is the plural pronoun representing the genderless antecedent, as in, "The user fills out their registration card."
Illiterate? Uh-uh. I've edited way too many textbooks in my time to fall into that category.
-SF3
Score: 0
|There is nothing wrong with 'There is more...'
Unlike 'fewer', 'more' can be used with uncountables. In Otherwords, 'fewer' is used only with countables, therefore 'There is fewer...' does not make sence.
Example:
There is more water in this glass than the other one.
There are fewer pencils on this table than that one.
Score: 0
|malware code writers are taking the path of least resistence because microsoft has been a pain in their a*s by continously provided security improvements to the o.s. and their products.
unfortunately, such actions and concerns are not provided by most third party software, freeware and open source wares.
Score: 0
|Yep they are moving over to the Macs now. It is kind of like trying to smack someone who is asleep instead of the one already awake and dodging your every swing. I can promise you those Macs have holes. People just haven't started trying to find them until now. The days of "Macs are more secure" are coming to an end.
Score: 0
|Let the osx 0day begin...yay...
Score: 0
|