Roger's Security Blog

As Chief Security Advisor of Microsoft EMEA - lets share interesting security information

Security Updates and Exploits

Security Updates and Exploits

  • Comments 5
  • Likes

As you may know, we announced version four of the Microsoft Security Intelligence Report earlier this week. Amongst the many interesting findings is data which relates to software vulnerability exploits. I wanted to highlight these as Shoaib, one of my blog readers, contacted me recently to get my views on a post he wrote.

Here are the key findings:

  • During 2007, 32.2 percent of known security vulnerabilities (CVE IDs) in the Microsoft products analyzed for this report had publicly available exploit code. This is nearly identical to the totals from 2006 when 32.7 percent of known security vulnerabilities for the same products had publicly available exploit code.
  • Microsoft matched each public exploit with its corresponding vulnerability using CVE identifiers and Microsoft security bulletins. The number of Microsoft security bulletins released in 2007 was 11.5 percent lower than in 2006, and the number of vulnerabilities covered by those bulletins was 29.6 percent lower than the number covered by the 2006 bulletins.
  • In a product-by-product comparison, more recent versions of Microsoft products were proportionally less affected by publicly available exploit code than earlier versions. This trend is especially visible with Microsoft Office. Only 11.1 percent of known vulnerabilities in the 2007 Microsoft Office system had exploit code publicly available, compared with 45.8 percent for Office 2003 and Office XP, and 52.4 percent for Office 2000.We additionally looked at the exploits based on CVE.

We even added a table where we compared selected products in 2006 and 2007:

By CVE ID

2006

2007

 

Product

Version

CVE ID Count

CVE Exploits

Pct.

CVE ID Count

CVE Exploits

Pct.

Delta CVE ID

Internet Explorer®

 

 

 

 

 

 

 

 

5

26

7

26.9%

19

3

15.8%

-11.1%

 

6

26

5

19.2%

19

3

15.8%

-3.4%

 

7

0

0

19

3

15.8%

Microsoft Office

 

 

 

 

 

 

 

 

2000

45

8

17.8%

21

11

52.4%

34.6%

 

XP

44

9

20.5%

24

11

45.8%

25.3%

 

2003

40

9

22.5%

24

11

45.8%

23.3%

 

X-Mac

26

3

11.5%

5

2

40.0%

28.5%

 

2004-Mac

33

5

15.2%

22

8

36.4%

21.2%

 

2007

0

0

9

1

11.1%

Windows®

 

 

 

 

 

 

 

 

 

98

27

7

25.9%

0

0

 

ME

27

6

22.2%

0

0

 

2000

73

18

24.7%

51

6

11.8%

-12.9%

 

XP

84

59

70.2%

55

6

10.9%

-59.3%

 

2003

78

32

41.0%

57

21

36.8%

-4.2%

 

Windows Vista

1

0

0.0%

40

12

30.0%

30.0%

So, what is this giving us?

When we look at attacks and the "time to exploit", which is definitely decreasing, we have to take into consideration that malware (often exploiting vulnerabilities) is more and more focused on financial gain. The chart below shows this very well:

So, what does this and the report above allow us to conclude:

  • Criminals are getting smarter, more professional and faster – with or without this kind of technology
  • As a result of the Security Development Lifecycle, which sets standards for secure development practices that all Microsoft products have to adhere to, latest versions have significantly fewer vulnerabilities compared both to older versions and competitive products
  • We have to continue to invest in producing high-quality security update (with "we" I mean the whole industry) in order to allow for shorter patching cycles
  • The vendors have to work closely together with the customers to share best practices of Patch Management. This is something we do since a long time.

One final comment: To me it is not only about exploits, it is about the process of creating Security Updates as well. In this context I would like to remind you of my recent post on 0-Day-Patch – An new Metric for Security?

Roger

Comments
Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment