Feeds

MS blames non-Redmond apps for security woes

Issues are third party and they'll cry if they want to

5 things you didn’t know about cloud backup

Microsoft has blamed common third-party desktop applications, rather than Windows, for the majority of security threats in a new report. The finding might appear surprising at first but is backed by independent security notification firm Secunia.

The latest edition of Microsoft's Security Intelligence Report suggests that "nearly 90 percent of vulnerabilities disclosed in the second half of 2008 affected applications". It reckons hackers have shifted their attention to applications in response to improved security of operating systems, including Windows. The overall number of security vulnerabilities went down, but the number of high-risk flaws rose by 4 per cent, according to Redmond's security researchers.

Which flaws feature in attacks, and their severity, are a much better guide to risk than simply counting the number of vulnerabilities. Microsoft-related problems were held responsible for six of the top 10 browser-based vulnerabilities attacked on machines running Windows XP in the second half of 2008, compared to none on PCs running Windows Vista. The most attacked vulnerabilities involved a flaw in Windows graphics rendering engine (MS06-01) and a RealPlayer console vulnerability. An Adobe Flash vulnerability was the single most common way of attacking Vista machines, with the RealPlayer console flaw cropping up at number three.

"Newer versions of Microsoft software are more secure than previous versions," the software giant said, neatly avoiding the awkward point that supposed security improvements with Vista have made the operating systems slower and more intrusive, (largely thanks to permitted application dialogue pop-ups), contributing to the desire of many to stick with or downgrade to XP.

Security isn't everything, even though evidence from Microsoft suggests that Vista is more resistant to malware. The infection rate of Windows Vista SP1 is 60.6 percent less than that of Windows XP SP3, the software giant reports.

Thomas Kristensen, chief technology officer at security notification firm Secunia, said that poor updating of third-party software makes non-Microsoft vulnerabilities an attractive target for hackers.

“We don't track actual exploits but recently we have been in close dialogue with a number of financial institutions and others who regularly do deal with actual e-crime,” Kristensen told El Reg. “The picture described by them clearly shows that the criminals focus more and more on third-party vulnerabilities and less on Microsoft vulnerabilities.”

“If you look at some of the recent stats from Secunia the reason should be obvious, even the security conscious Secunia PSI and OSI users are generally slower at updating their third party software than their Microsoft software,” he added.

Microsoft's study also warns of a "growing tide" of rogue security software (AKA scareware) applications, examples of which appear high up on Redmond's threat index. For example, two rogue families, FakeXPA and FakeSecSen, were detected on more than 1.5 million computers running Microsoft's malicious software removal tool, making them among the top 10 threats of the second half of 2008. In addition, Renos, a malware strain used to push separate scareware applications, was picked up on 4.4 million Windows PCs in the second half of 2008, an increase of two-thirds over the first six months of the year.

Lastly the report found that lost and stolen equipment was the cause of half the data loss problems publicly reported in the second half of last year.

The latest (sixth) edition of Microsoft's Security Intelligence Report can be found here. ®

Next gen security for virtualised datacentres

More from The Register

next story
Microsoft: We plan to CLEAN UP this here Windows Store town
Paid-for apps that provide free downloads? Really
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Hear ye, young cyber warriors of the realm: GCHQ wants you
Get involved, get a job and then never discuss work ever again
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.