:-)
Roger
As you may know, we announced version four of the Microsoft Security Intelligence Report earlier this week. Amongst the many interesting findings is data which relates to software vulnerability exploits. I wanted to highlight these as Shoaib, one of my blog readers, contacted me recently to get my views on a post he wrote.
Here are the key findings:
We even added a table where we compared selected products in 2006 and 2007:
|
By CVE ID |
2006 |
2007 |
| |||||
|
Product |
Version |
CVE ID Count |
CVE Exploits |
Pct. |
CVE ID Count |
CVE Exploits |
Pct. |
Delta CVE ID |
|
Internet Explorer® |
|
|
|
|
|
|
| |
|
|
5 |
26 |
7 |
26.9% |
19 |
3 |
15.8% |
-11.1% |
|
|
6 |
26 |
5 |
19.2% |
19 |
3 |
15.8% |
-3.4% |
|
|
7 |
0 |
0 |
— |
19 |
3 |
15.8% |
— |
|
Microsoft Office |
|
|
|
|
|
|
| |
|
|
2000 |
45 |
8 |
17.8% |
21 |
11 |
52.4% |
34.6% |
|
|
XP |
44 |
9 |
20.5% |
24 |
11 |
45.8% |
25.3% |
|
|
2003 |
40 |
9 |
22.5% |
24 |
11 |
45.8% |
23.3% |
|
|
X-Mac |
26 |
3 |
11.5% |
5 |
2 |
40.0% |
28.5% |
|
|
2004-Mac |
33 |
5 |
15.2% |
22 |
8 |
36.4% |
21.2% |
|
|
2007 |
0 |
0 |
— |
9 |
1 |
11.1% |
— |
|
Windows® |
|
|
|
|
|
|
|
|
|
|
98 |
27 |
7 |
25.9% |
0 |
0 |
— |
— |
|
|
ME |
27 |
6 |
22.2% |
0 |
0 |
— |
— |
|
|
2000 |
73 |
18 |
24.7% |
51 |
6 |
11.8% |
-12.9% |
|
|
XP |
84 |
59 |
70.2% |
55 |
6 |
10.9% |
-59.3% |
|
|
2003 |
78 |
32 |
41.0% |
57 |
21 |
36.8% |
-4.2% |
|
|
Windows Vista |
1 |
0 |
0.0% |
40 |
12 |
30.0% |
30.0% |
So, what is this giving us?
When we look at attacks and the "time to exploit", which is definitely decreasing, we have to take into consideration that malware (often exploiting vulnerabilities) is more and more focused on financial gain. The chart below shows this very well:
So, what does this and the report above allow us to conclude:
One final comment: To me it is not only about exploits, it is about the process of creating Security Updates as well. In this context I would like to remind you of my recent post on 0-Day-Patch – An new Metric for Security?
Roger
As you probably know: I am Swiss. We have a saying in Switzerland (I do not know whether something like this exists in English as well) that the kids of the shoemaker always have the worst shoes… So, what about the security professionals? No, I am not talking about their shoes but what about the way they handle security?
It seems that during Infosec (the information security exhibition in London) there were quite some notebook just lying around and – even worse – unlocked. Now, we ask the users to take care but we do not even do the basics right? I once said a few years ago that whenever I find an unlocked notebook in the office, I would add myself as a local admin (as most of us are admin on the box, this is a fairly easy task if the machine is not locked). Now, after doing that I waited for the next time we had a meeting together. It is Microsoft attitude that you take your notebook to the meetings (and some do e-mails during the meetings L). I then remotely rebooted their notebook… I can tell you, the look they had on their face during that was really worth it.
If you want to read the whole story on Infosec: Infosec: Security pros 'ignoring' their own message
Roger
There is an interesting article on the value of the Malicious Software Removal Tool (MSRT – the tool we release monthly to clean PCs) and the fight against storm. It gives you some insight how our Malware Protection Center works and what they did against storm. A pretty interesting reading (even though I do not like the title):
Microsoft: We took out Storm botnet
Roger
Ed Gibson, our CSA in the UK had an interview during Infosec with VNunet. He made some interesting statements:
We have a good set of laws in place and they have teeth. But the police have priorities and budgets set by the Home Office
and
Any one of you here would volunteer for neighborhood watch if you thought it would improve your community. So why not online?
Read and listen to the whole interview
Roger
