Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
Today Trustworthy Computing released new research that examines the long-term impact of security mitigations that Microsoft has implemented to address software vulnerabilities. This analysis is based on a study of security vulnerabilities that have been addressed through Microsoft security updates over a seven year period (2006 – 2012) and are known to have been exploited. The study focuses on assessing trends in the types of vulnerabilities that have been exploited, the product versions that have been targeted and the exploitation techniques that have been used by attackers.
Some of the key findings from the new research paper released today, called “Software Vulnerability Exploitation Trends,” include:
Figure 1: Percentages of CVEs that were exploited before vs. after security updates were available
Figure 2: The distribution of CVE vulnerability classes for CVEs that are known to have been exploited
Figure 3: The number of CVEs that were exploited using specific exploitation techniques
There are plenty of other data points included in this new research that help us understand the factors that make exploitation of vulnerabilities more difficult. Based on the research, the paper makes specific recommendations on how these factors can be influenced to help reduce the likelihood of exploitation and thereby help manage risk.
This paper is recommended reading for people that are responsible for managing risk for their organization. It can be downloaded from http://download.microsoft.com/download/F/D/F/FDFBE532-91F2-4216-9916-2620967CEAF4/SoftwareVulnerability Exploitation Trends.pdf
You might wonder why we conduct this type of research. Many of the customers I talk to are interested in using software vulnerability counts as a measure of whether the industry and the software vendors they procure software from are getting better or worse at developing software that has fewer and less severe vulnerabilities. We publish various vulnerability counts in the Microsoft Security Intelligence Report. But simply counting vulnerabilities seems to assume that all vulnerabilities pose equal risk. When we take a closer look at which vulnerabilities are actually exploited by attackers and how they are exploited, we can get a better picture of what’s really going on, which can inform how associated risks can be managed more efficiently.
This research was conducted by the Microsoft Security Engineering Center (MSEC) and the Microsoft Security Response Center (MSRC). The MSEC conducts some of the industry’s most advanced security science research. This security science helps customers in three essential ways:
If you are interested in learning more about the MSEC and security science, please check out http://www.microsoft.com/msec.
Tim Rains DirectorTrustworthy Computing