Microsoft Security Blog

The official Microsoft blog for discussing industry and Microsoft security topics.

April, 2013

  • Anti-virus Software is Dead…Really?

    Yesterday we released the latest volume of the Microsoft Security Intelligence Report. Among the ~800 pages of new threat intelligence is a new study that attempts to quantify the benefit of running up-to-date anti-virus (AV) software.  The study leveraged data from over a billion systems worldwide and it turns out that systems that do not have up-to-date AV are 5.5 times more likely to be infected with malware than systems that are protected.  It’s also noteworthy that almost 270 million systems worldwide did not have up-to-date AV installed in the second half of 2012; many people that could be benefiting from the protection that AV offers, are not.   

    Didn’t we already know this?
    While it might seem like common sense that AV software is a good thing to have, I think much of the evidence I have seen to support this notion has mostly been anecdotal.  I have attended and spoken at numerous security industry conferences over the past couple of years where I have heard more and more industry security experts question the efficacy of AV.  The typical argument against AV is the erroneous assumption that since it can’t block or detect 100% of threats, including some of the high-profile targeted attacks that have been reported over the last few years, then it’s entirely worthless and not worth running. 

    To me, this point of view seems less than pragmatic as part of the challenge the industry has is to protect the billions of devices that are now continuously connected to the Internet from the flood of new threats that continually emerge.  Since both the number of connected devices and the number of threats will only increase in the future, how to scale protections will always be important.  More and more attackers are using automation and sophisticated techniques like server-side polymorphism to generate massive numbers of threats; Figure 1 below illustrates the estimated growth of malware since 1991 and Figure 2 shows 29,451,883 computers had detections/removals of malware in the ten most active countries in the 90 days of the fourth quarter of 2012 alone.  In this type of environment AV is becoming more important, not less important. Read more.

  • Volume 14 of the Microsoft Security Intelligence Report Released: Hundreds of Pages of New Security Intelligence Now Available

    We released the latest volume of the Microsoft Security Intelligence Report today that provides a large body of new data and analysis on the threat landscape.  Volume 14 focuses on what the threat landscape looked like in the second half of 2012, including trend data from previous periods.  This volume of the report contains:

    • Industry-wide vulnerability disclosure trends and analysis
    • An examination of global vulnerability exploit activity
    • Trends and analysis on global malware and potentially unwanted software
    • The latest analysis of threats in more than 100 countries/regions around the world
    • Data and insights on how attackers are using spam and other email threats
    • The latest global and regional data on malicious websites including phishing sites, malware hosting sites and drive-by download sites

    In addition, we have included a section in the report focused on quantifying the value of using up-to-date antimalware software.  This is a must read for those Information Technology/security professionals who are grappling with the challenge of articulating why investing in antimalware software is so important to the security of their organization, possibly among those questioning its efficacy.

    I encourage you to download the new SIR and take full advantage of the new research it contains as well as the hundreds of pages of new threat intelligence.  We also have a shorter Key Findings Summary available, new video content, and past volumes of the report, all at

    Tim Rains
    Trustworthy Computing

  • Malicious Websites Now the Top Threat to the Enterprise

    For the past three and a half years, Win32/Conficker has been the top threat found in enterprise environments.  We have reported on Conficker in the Microsoft Security Intelligence Report since the second half of 2008.  No new variants of Conficker have been released in years and the methods it uses to propagate are well known, but once it finds its way into an environment it can be difficult to eliminate it.

    New data just published in volume 14 of the report, focused on the second half of 2012 (2H12), shows that Conficker has competition as the number one threat in enterprise environments.  Figure 1 shows that JS/IframeRef was encountered by more computers than Conficker in the second (2Q12) and fourth (4Q12) quarters of 2012.  IframeRef was detected almost 3.3 million times in 4Q12.  JS/IframeRef is a malicious piece of JavaScript code that is presented on infected or malicious websites.  The purpose of the script is to redirect your browser to other sites that attempt to download malware onto your computer, often by exploiting unpatched software vulnerabilities. Read more..

  • Microsoft’s Perspective on Creating a Framework to Reduce Cyber Risk to Critical Infrastructure

    Cybersecurity continues to be a hot topic around the world, particularly as governments develop policies to improve cybersecurity in critical infrastructure. In the U.S., the White House released an Executive Order entitled Improving Critical Infrastructure Cybersecurity to drive a concerted effort across departments, agencies and industry to improve the posture of the nation’s critical infrastructures against cyber-attacks. The Executive Order gave responsibility to the National Institute...
  • Microsoft Security Intelligence Report Volume 14 – Coming Soon!

    As you might be aware, Microsoft releases its Security Intelligence Report (SIR) twice a year to help inform customers on changes in the threat landscape.  The report includes data from over a billion systems worldwide, regional analysis for 105 countries/regions and is designed to help customers manage risk within their environments. 

    One of the things we thought we would do different for this release is give you a sneak peek look at what’s coming in volume 14 of the Microsoft Security Intelligence Report (SIRv14).  Check out my video below for some of the latest threat trends to emerge in the second half of 2012.

  • The Countdown Begins: Support for Windows XP Ends on April 8, 2014

    Yesterday marked the one year countdown for the end of extended support for Windows XP Service Pack 3 (SP3). I wanted to pause today and lay out some of the important security implications of end of support so that customers are informed about what this change means to them.

    It has been twelve years since the release of Windows XP and the world has changed so much since then.  Internet usage has grown from ~361 million to more than 2.4 billion users.  We have witnessed the rise of the internet citizen with members of society connected through email, instant messaging, video-calling, social networking and a host of web-based and device-centric applications.  As the internet becomes more and more woven into the fabric of society, it has also become an increasingly popular destination for malicious activity (as evidenced in the Microsoft Security Intelligence Report.)  Given the rapid evolution, software security has had to evolve to stay ahead of cybercrime.  To help protect users from rapid changes in the threat landscape, Microsoft typically provides support for business and developer products for 10 years after product release, and most consumer, hardware, and multimedia products for five years after product release.     


  • The Threat Landscape in Ukraine: Where Malicious Websites Thrive

    Belarus, China, and Ukraine had the highest concentrations of malware hosting sites in the second quarter of 2012 (2Q12), based on data from the Microsoft Security Intelligence Report volume 13.  Belarus had the highest number of malware hosting servers in 2Q12, but Ukraine had the highest concentration of malware hosting servers in 1Q12, more than double the worldwide average.  I have already published details on the threat landscape in China and Belarus.  This article focuses on the threat landscape in Ukraine. 

  • The Threat Landscape in Belarus: Highest Concentration of Malware Hosting Servers

    I recently wrote an article examining the concentrations of malware hosting servers located in different regions of the world.  As seen in Figure 1, Belarus and China, had the highest concentrations of malware hosting sites per 1,000 Internet hosts in the second quarter of 2012 (2Q12), based on data from the Microsoft Security Intelligence Report volume 13.  Naturally, this led to a few people asking me for more details on what has been happening in these locations.  I recently published an article with more details on China called, The Threat Landscape in China: A Paradox.  This article focuses on Belarus.