Feeds

MS blames non-Redmond apps for security woes

Issues are third party and they'll cry if they want to

Using blade systems to cut costs and sharpen efficiencies

Microsoft has blamed common third-party desktop applications, rather than Windows, for the majority of security threats in a new report. The finding might appear surprising at first but is backed by independent security notification firm Secunia.

The latest edition of Microsoft's Security Intelligence Report suggests that "nearly 90 percent of vulnerabilities disclosed in the second half of 2008 affected applications". It reckons hackers have shifted their attention to applications in response to improved security of operating systems, including Windows. The overall number of security vulnerabilities went down, but the number of high-risk flaws rose by 4 per cent, according to Redmond's security researchers.

Which flaws feature in attacks, and their severity, are a much better guide to risk than simply counting the number of vulnerabilities. Microsoft-related problems were held responsible for six of the top 10 browser-based vulnerabilities attacked on machines running Windows XP in the second half of 2008, compared to none on PCs running Windows Vista. The most attacked vulnerabilities involved a flaw in Windows graphics rendering engine (MS06-01) and a RealPlayer console vulnerability. An Adobe Flash vulnerability was the single most common way of attacking Vista machines, with the RealPlayer console flaw cropping up at number three.

"Newer versions of Microsoft software are more secure than previous versions," the software giant said, neatly avoiding the awkward point that supposed security improvements with Vista have made the operating systems slower and more intrusive, (largely thanks to permitted application dialogue pop-ups), contributing to the desire of many to stick with or downgrade to XP.

Security isn't everything, even though evidence from Microsoft suggests that Vista is more resistant to malware. The infection rate of Windows Vista SP1 is 60.6 percent less than that of Windows XP SP3, the software giant reports.

Thomas Kristensen, chief technology officer at security notification firm Secunia, said that poor updating of third-party software makes non-Microsoft vulnerabilities an attractive target for hackers.

“We don't track actual exploits but recently we have been in close dialogue with a number of financial institutions and others who regularly do deal with actual e-crime,” Kristensen told El Reg. “The picture described by them clearly shows that the criminals focus more and more on third-party vulnerabilities and less on Microsoft vulnerabilities.”

“If you look at some of the recent stats from Secunia the reason should be obvious, even the security conscious Secunia PSI and OSI users are generally slower at updating their third party software than their Microsoft software,” he added.

Microsoft's study also warns of a "growing tide" of rogue security software (AKA scareware) applications, examples of which appear high up on Redmond's threat index. For example, two rogue families, FakeXPA and FakeSecSen, were detected on more than 1.5 million computers running Microsoft's malicious software removal tool, making them among the top 10 threats of the second half of 2008. In addition, Renos, a malware strain used to push separate scareware applications, was picked up on 4.4 million Windows PCs in the second half of 2008, an increase of two-thirds over the first six months of the year.

Lastly the report found that lost and stolen equipment was the cause of half the data loss problems publicly reported in the second half of last year.

The latest (sixth) edition of Microsoft's Security Intelligence Report can be found here. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.