The third volume of the Microsoft Security Intelligence Report (SIR) is now available for download at:  www.microsoft.com/sir - this link will take you to a summary portal that has links to the downloadable document, upcoming webcasts about the SIR results, and so on.

As one of the primary authors for the vulnerability trends information, I will be hosting one of the webcasts on November 1, 2007 and you can register here:  Microsoft Security Intelligence Report: Overview of Latest Trends in Vulnerabilities and Malicious Software (Level 100).

If you want to quickly download the report in pdf, click on this link.

There are lots of interesting results (with charts) in the SIR and I encourage you to look the whole report.  However, here are a few of the things I would call out to you.

The number of disclosures of new software vulnerabilities across the industry continues
to be in the thousands, with more than 3,400 new vulnerabilities disclosed in
1H07. But this number actually represents a decrease from 2H06, the first period-to-period
decline in total vulnerabilities since 2003.

sir3f6

Note however, another trend as shown in the chart.  High severity vulnerabilities continue to grow significantly, while the overall total flattened out.   In the full report, you'll also note a trend reversal with complexity to exploit dropping as well.

There are a couple of other interesting results that I want to call out that you should examine with more detail in the full report

  • Social engineering plays a growing role in overall malware attack techniques.  This is a key result since even with vulnerability-free software, these techniques could succeed against users of any platform.
  • Windows Defender has proportionally detected 2.8 times less potentially unwanted software on computers running Windows Vista than on computers running Windows XP SP2, based on normalized data.   This is a practical measure of benefit that is somewhat more valuable in my opinion than vulnerability comparisons.

That is enough teasers. Download the report at www.microsoft.com/sir.

Regards ~ Jeff