Bach Seat

Microsoft (NASDAQ MSFT) released the latest Microsoft Security Intelligence Report (SIRv8) on April 26, 2010. Data for SIRv8  came from 500 million PCs across the globe between July and December 2009 and for the first time separates enterprise user and consumer user malware trend data. The data included in the 250-page report says that enterprises and consumers each suffer from different types of malware threats.

Microsft security goog news

The good Microsoft security news from the SIR 8 report is that newer operating systems and up-to-date applications are the most secure. Windows 7 and Vista Service Pack 2 have the lowest infection rates per 1,000 executions of the Microsoft Malicious Software Removal Tool (MSRT) in the second half of last year. (pg. 85). Microsoft runs the Malicious Software Removal Tool before installing Windows updates.

The report shows that the more recent versions of Microsoft Windows are less vulnerable to attack. Cliff Evans, Microsoft UK’s head of security and privacy says only about 5% of the vulnerabilities are in Microsoft software. This has led to a shift in emphasis to targeting third-party programs and utilities. In XP, around 45% of attacks exploited third-party (i.e. non-Microsoft) code, with Vista and Windows 7 it’s around 75% according to an article in the Guardian.

Application attacks continue to increase. Running updated software decreases the attack surface and increases Microsoft security robustness. The report shows that attackers target Internet Explorer 6 (IE 6) up to four times more often than the newer version IE 7 (pg.33). Matt Thomlinson, general manager of product security in Microsoft’s Trustworthy Computing group told DarkReading, “With Internet Explorer, IE 6 is four times more targeted in drive-by attacks.” Thomlinson says SIR 8 provides the first real results to illustrate this.

Browser attacks

The Microsoft security report says that nearly 75% of the browser-based exploits encountered in 2H09, were third-party applications, including Adobe Reader, RealPlayer, Apple QuickTime, and AOL software (pg.26). This means Windows Update is not enough to protect users, who must also install updates from Adobe, Apple, and other software suppliers.

Attacks against Microsoft Office make use of older vulnerabilities that have mostly been fixed and can easily be avoided by keeping the software suite up to date. The majority of Office file format attacks can be avoided by applying service packs (pg. 43). For example, 75.8% of the attacks on Microsoft Office files exploited a single vulnerability (CVE-2006-2492, the Malformed Object Pointer Vulnerability in Microsoft Office Word), which was found in 2006.

The report found that enterprise users contract more worms, “In the enterprise, worms are more of a problem, which is not a surprise in that you have networks with trusted file shares and USB devices, and they are more susceptible to those transmission mechanisms,” Thomlinson told DarkReading. “This is the first time we’ve had data allowing us to separate [enterprise and consumer machines] and show differences [in malware prevalence.]” Worms were found in 32 percent of enterprise PCs.

Rogue anti-virus attacks

Windows in both the enterprise and the consumer markets were hit hard by rogue anti-virus attacks last year. Rogue security software was found on 7.8 million up 46% from 5.3 million in the second half of last year. The most detected rogue security software family, Win32/FakeXPA, was also the third-most prevalent overall threat detected by Microsoft worldwide in 2H09. Three other rouge software families were also widely detected:

• Win32/Yektel,
• Win32/ FakeSpypro, and
• Win32/Winwebsec.

MSFT claims that attacks are now motivated by financial gain, with a “black economy” of malware authors, botnet herders, and other criminals working together to exploit vulnerabilities in Windows PCs. “We’re seeing that the criminals are more professional and organized,” Thomlinson says. “This is really about criminals in shirts and ties, not with tattoos.” Criminals are becoming more specialized in different aspects of cybercrime. They are then coordinating with criminals with other specialties. He says. “Threats are being packaged together and sold as commodities and kits,” he says. “It struck us as we looked at botnets that this is an early version of cloud computing: There is computing available for whatever use they have in mind, and they are taking advantage of many machines to do that. This is the ‘black cloud’ of computing.”