Microsoft has blamed common third-party desktop applications, rather than Windows, for the majority of security threats in a new report. The finding might appear surprising at first but is backed by independent security notification firm Secunia.
The latest edition of Microsoft's Security Intelligence Report suggests that "nearly 90 percent of vulnerabilities disclosed in the second half of 2008 affected applications". It reckons hackers have shifted their attention to applications in response to improved security of operating systems, including Windows. The overall number of security vulnerabilities went down, but the number of high-risk flaws rose by 4 per cent, according to Redmond's security researchers.
Which flaws feature in attacks, and their severity, are a much better guide to risk than simply counting the number of vulnerabilities. Microsoft-related problems were held responsible for six of the top 10 browser-based vulnerabilities attacked on machines running Windows XP in the second half of 2008, compared to none on PCs running Windows Vista. The most attacked vulnerabilities involved a flaw in Windows graphics rendering engine (MS06-01) and a RealPlayer console vulnerability. An Adobe Flash vulnerability was the single most common way of attacking Vista machines, with the RealPlayer console flaw cropping up at number three.
"Newer versions of Microsoft software are more secure than previous versions," the software giant said, neatly avoiding the awkward point that supposed security improvements with Vista have made the operating systems slower and more intrusive, (largely thanks to permitted application dialogue pop-ups), contributing to the desire of many to stick with or downgrade to XP.
Security isn't everything, even though evidence from Microsoft suggests that Vista is more resistant to malware. The infection rate of Windows Vista SP1 is 60.6 percent less than that of Windows XP SP3, the software giant reports.
Thomas Kristensen, chief technology officer at security notification firm Secunia, said that poor updating of third-party software makes non-Microsoft vulnerabilities an attractive target for hackers.
“We don't track actual exploits but recently we have been in close dialogue with a number of financial institutions and others who regularly do deal with actual e-crime,” Kristensen told El Reg. “The picture described by them clearly shows that the criminals focus more and more on third-party vulnerabilities and less on Microsoft vulnerabilities.”
“If you look at some of the recent stats from Secunia the reason should be obvious, even the security conscious Secunia PSI and OSI users are generally slower at updating their third party software than their Microsoft software,” he added.
Microsoft's study also warns of a "growing tide" of rogue security software (AKA scareware) applications, examples of which appear high up on Redmond's threat index. For example, two rogue families, FakeXPA and FakeSecSen, were detected on more than 1.5 million computers running Microsoft's malicious software removal tool, making them among the top 10 threats of the second half of 2008. In addition, Renos, a malware strain used to push separate scareware applications, was picked up on 4.4 million Windows PCs in the second half of 2008, an increase of two-thirds over the first six months of the year.
Lastly the report found that lost and stolen equipment was the cause of half the data loss problems publicly reported in the second half of last year.
The latest (sixth) edition of Microsoft's Security Intelligence Report can be found here. ®