An increase in threats from the use of rogue software
and a move towards attacks on vulnerabilities contained within
third party applications are among the key trends unearthed by the
latest version of Microsoft’s Security Intelligence Report
(SIR).
Covering the period from July t o December 2008, the report
revealed the that across the IT industry,
the total
number of unique vulnerability disclosures decreased by 3% compared
with the first half of 2008 and that for the year whole,
disclosures were down 12% on 2007’s total.
Even though the total
vulnerabilities fell, the number of vulnerabilities rated as
high severity by the report actually rose by 4% over 1H08. In fact
over half (52%) of all the vulnerabilities were rated as high
severity.
Making matters more serious, the percentage of disclosed
vulnerabilities that were regarded as easiest to exploit also
increased with 56% requiring only a Low complexity exploit. That
said, the total number of high severity vulnerabilities in 2008
fell by 16% when compared with those reported in 2007.
The report also revealed the increasing prevalence of rogue
security software to convince potential victims to pay for full
versions of a software solution in order to remove and protect
themselves from malware, to stop the continual alerts and warnings,
or both.
The
principal source of data loss through a security breach in 2H08
was from stolen equipment such as laptop computers, accounting for
a third of all data incidents reported. Together with lost
equipment, these two categories account for half of all incidents
reported. In contrast, security breaches from hacking or malware
incidents remained at less than a fifth of the total.
In what must be an undoubted relief to Microsoft, its report
stated that the proportion of vulnerabilities disclosed in
operating systems across the industry continued to decline with
more than 90% of vulnerabilities disclosed affecting applications
or browsers.
Drilling deeper, Microsoft said that only 8.8% of
vulnerabilities affected operating systems and 4.5% affected
browsers whilst 86.7 percent affected applications or other
software. Microsoft software accounted for 6 of the top 10
browser-based vulnerabilities attacked on computers running Windows
XP in 2H08. None were reported on Vista-based computers.
Microsoft also warned that there were increasing attempts to
exploit vulnerabilities contained in third party applications. Ed
Gibson, Chief cyber Security Advisor at Microsoft advised that
companies should embark on strict updating policies regarding third
party applications and pointed specifically to updating security
patches on Adobe reader which in his opinion was being increasingly
being seen as aw target.
Moreover, outlining the trend towards more attacks on its
products, overall in H208, Microsoft released 42 security bulletins
which addressed 97 individual identified vulnerabilities, a figure
that was 67.2% higher than the number of vulnerabilities addressed
in 1H08., for the full year of 2008, Microsoft released 78 Security
Bulletins addressing 155 vulnerabilities, a 16.8% over 2007.