The number of software vulnerability disclosures is at its lowest point since the second half of 2005, according to a report from Microsoft. The report also noted that criminals have shifted the focus of their attacks from email to the web — a trend seen in other similar reports.
According to the report, the fourth volume of Microsoft’s Security Intelligence Report (SIR), unveiled at Infosecurity Europe 2008 on Tuesday in London, the second half of 2007 showed a decline in new security vulnerability disclosures by 15 percent and a decrease in total vulnerability disclosures by five percent for all of 2007.
Microsoft defines vulnerabilities as “weaknesses in software that allow an attacker to compromise the integrity, availability or confidentiality of that software.”
On the flip side, the company’s findings reveal a 300 percent increase in the number of trojan downloaders and droppers, which is malicious code used to install files on users’ systems. These programs, which disguise themselves as legitimate software and are most often installed via the web, download additional malicious software, such as a keylogger or adware, onto a victim’s computer.
This illustrates that the malware category continues to grow in popularity among attackers, the report said.
The report also revealed that between July 1 and Dec. 31 there was a 66.7 percent increase in the number of potentially unwanted software “detections,” which are programs that may impact user privacy or security by performing unwanted activity. Microsoft said it found 129.5 million pieces of potentially unwanted software on users’ systems during the last six months of 2007.
Microsoft said the report is based on data from approximately 450 million computers using the Microsoft Malicious Software Removal Tool that ships with Windows. According to the report, the company’s Malicious Software Removal Tool deleted malware from one out of every 123 computers it inspected each month during the last six months of the year. The United States was the most infected company, with one in every 112 PCs containing malware, and Japan the least infected, with malware found on one in 685 computers.
“The report mostly jives with what we’re seeing in the field,” Doug Camplejohn, chief executive officer of web security vendor Mi5 Networks, told SCMagazineUS.com. “We’re seeing that threats are moving a lot more to the web.”
The good news, however, is that customers have spent time protecting email, he said.
“The problem is the threats have moved to the path of least resistance, and that’s become the web, one of the things Microsoft confirmed in its report,” Camplejohn said.
The decline in the number of software vulnerabilities Microsoft reported surprised Camplejohn , he said.
“It’s unclear whether we’re seeing an ongoing decline or whether fewer people are disclosing and more of them are keeping them private and exploiting them,” he said. “It’s unclear what conclusion to draw out of this sing data point, which does not make it a trend.”
“I do think that there is less incentive to announce vulnerabilities, so that is probably a driver for the number of vulnerabilities going down,” Mike Rothman, principal at research firm Security Incite, told SCMagazineUS.com. “I also think Vista is architected better (from a security standpoint) and XP SP2 (Service Pack 2) is mature enough that a lot of the low-hanging fruit has been fixed.”
Microsoft’s Systems Development Lifecycle (SDLC), intended to develop more secure code, makes a big difference in the security of the company’s operating systems and applications, Rothman added.
“Microsoft has been a positive case study in adopting secure coding practices and most of the other packaged software vendors would be wise to follow Microsoft’s lead,” he said. “Nothing is perfect, nor will it ever be, but Microsoft has made a lot of progress over the past five years.”