MS blames non-Redmond apps for security woes

Issues are third party and they'll cry if they want to

28 Reg comments Got Tips?

Microsoft has blamed common third-party desktop applications, rather than Windows, for the majority of security threats in a new report. The finding might appear surprising at first but is backed by independent security notification firm Secunia.

The latest edition of Microsoft's Security Intelligence Report suggests that "nearly 90 percent of vulnerabilities disclosed in the second half of 2008 affected applications". It reckons hackers have shifted their attention to applications in response to improved security of operating systems, including Windows. The overall number of security vulnerabilities went down, but the number of high-risk flaws rose by 4 per cent, according to Redmond's security researchers.

Which flaws feature in attacks, and their severity, are a much better guide to risk than simply counting the number of vulnerabilities. Microsoft-related problems were held responsible for six of the top 10 browser-based vulnerabilities attacked on machines running Windows XP in the second half of 2008, compared to none on PCs running Windows Vista. The most attacked vulnerabilities involved a flaw in Windows graphics rendering engine (MS06-01) and a RealPlayer console vulnerability. An Adobe Flash vulnerability was the single most common way of attacking Vista machines, with the RealPlayer console flaw cropping up at number three.

"Newer versions of Microsoft software are more secure than previous versions," the software giant said, neatly avoiding the awkward point that supposed security improvements with Vista have made the operating systems slower and more intrusive, (largely thanks to permitted application dialogue pop-ups), contributing to the desire of many to stick with or downgrade to XP.

Security isn't everything, even though evidence from Microsoft suggests that Vista is more resistant to malware. The infection rate of Windows Vista SP1 is 60.6 percent less than that of Windows XP SP3, the software giant reports.

Thomas Kristensen, chief technology officer at security notification firm Secunia, said that poor updating of third-party software makes non-Microsoft vulnerabilities an attractive target for hackers.

“We don't track actual exploits but recently we have been in close dialogue with a number of financial institutions and others who regularly do deal with actual e-crime,” Kristensen told El Reg. “The picture described by them clearly shows that the criminals focus more and more on third-party vulnerabilities and less on Microsoft vulnerabilities.”

“If you look at some of the recent stats from Secunia the reason should be obvious, even the security conscious Secunia PSI and OSI users are generally slower at updating their third party software than their Microsoft software,” he added.

Microsoft's study also warns of a "growing tide" of rogue security software (AKA scareware) applications, examples of which appear high up on Redmond's threat index. For example, two rogue families, FakeXPA and FakeSecSen, were detected on more than 1.5 million computers running Microsoft's malicious software removal tool, making them among the top 10 threats of the second half of 2008. In addition, Renos, a malware strain used to push separate scareware applications, was picked up on 4.4 million Windows PCs in the second half of 2008, an increase of two-thirds over the first six months of the year.

Lastly the report found that lost and stolen equipment was the cause of half the data loss problems publicly reported in the second half of last year.

The latest (sixth) edition of Microsoft's Security Intelligence Report can be found here. ®

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Keep Reading

NSO Group: Facebook tried to license our spyware to snoop on its own addicts – the same spyware it's suing us over

Antisocial network sought surveillance tech to boost its creepy Onavo Protect app, it is claimed

Nothing fills you with confidence in an IT contractor more than hearing its staff personal records were stolen by ransomware hackers. Right, Cognizant?

Employees bag commiseration prize of free ID protection

Let's authenticate: Beyond Identity pitches app-wrapped certificate authority

Enclave-bound service aims to be another nail in the password coffin

Judge green-lights Facebook, WhatsApp hacking lawsuit against spyware biz NSO, unleashing Zuck's lawyers

Legal discovery team could turn up some very interesting, and possibly embarrassing details

Spyware maker NSO can't claim immunity, Facebook lawyers insist – it's time to face the music

Software developers aren't nation states, antisocial giant points out

US govt warns foreign hackers 'will likely try to exploit' critical firewall bypass bug in Palo Alto gear – patch now

Bogus signatures may fool your corp network's gatekeeper

Multi-part Android spyware lurked on Google Play Store for 4 years, posing as a bunch of legit-looking apps

Mandrake handlers could snoop on whatever victim did with their phone

Hack computers to steal someone's identity in China? Why? You can just buy one from a bumpkin for, like, $3k

Black Hat Exploit an 3l33t zero-day and reverse-shell that backend DB proxy server... or simply pay this farmer off

Biting the hand that feeds IT © 1998–2020