An increase in threats from the use of rogue software and a move towards attacks on vulnerabilities contained within third party applications are among the key trends unearthed by the latest version of Microsoft’s Security Intelligence Report (SIR).
Covering the period from July t o December 2008, the report revealed the that across the IT industry, the total number of unique vulnerability disclosures decreased by 3% compared with the first half of 2008 and that for the year whole, disclosures were down 12% on 2007’s total.
Even though the total vulnerabilities fell, the number of vulnerabilities rated as high severity by the report actually rose by 4% over 1H08. In fact over half (52%) of all the vulnerabilities were rated as high severity.
Making matters more serious, the percentage of disclosed vulnerabilities that were regarded as easiest to exploit also increased with 56% requiring only a Low complexity exploit. That said, the total number of high severity vulnerabilities in 2008 fell by 16% when compared with those reported in 2007.
The report also revealed the increasing prevalence of rogue security software to convince potential victims to pay for full versions of a software solution in order to remove and protect themselves from malware, to stop the continual alerts and warnings, or both.
The principal source of data loss through a security breach in 2H08 was from stolen equipment such as laptop computers, accounting for a third of all data incidents reported. Together with lost equipment, these two categories account for half of all incidents reported. In contrast, security breaches from hacking or malware incidents remained at less than a fifth of the total.
In what must be an undoubted relief to Microsoft, its report stated that the proportion of vulnerabilities disclosed in operating systems across the industry continued to decline with more than 90% of vulnerabilities disclosed affecting applications or browsers.
Drilling deeper, Microsoft said that only 8.8% of vulnerabilities affected operating systems and 4.5% affected browsers whilst 86.7 percent affected applications or other software. Microsoft software accounted for 6 of the top 10 browser-based vulnerabilities attacked on computers running Windows XP in 2H08. None were reported on Vista-based computers.
Microsoft also warned that there were increasing attempts to exploit vulnerabilities contained in third party applications. Ed Gibson, Chief cyber Security Advisor at Microsoft advised that companies should embark on strict updating policies regarding third party applications and pointed specifically to updating security patches on Adobe reader which in his opinion was being increasingly being seen as aw target.
Moreover, outlining the trend towards more attacks on its products, overall in H208, Microsoft released 42 security bulletins which addressed 97 individual identified vulnerabilities, a figure that was 67.2% higher than the number of vulnerabilities addressed in 1H08., for the full year of 2008, Microsoft released 78 Security Bulletins addressing 155 vulnerabilities, a 16.8% over 2007.