Feeds

MS blames non-Redmond apps for security woes

Issues are third party and they'll cry if they want to

Top 5 reasons to deploy VMware with Tegile

Microsoft has blamed common third-party desktop applications, rather than Windows, for the majority of security threats in a new report. The finding might appear surprising at first but is backed by independent security notification firm Secunia.

The latest edition of Microsoft's Security Intelligence Report suggests that "nearly 90 percent of vulnerabilities disclosed in the second half of 2008 affected applications". It reckons hackers have shifted their attention to applications in response to improved security of operating systems, including Windows. The overall number of security vulnerabilities went down, but the number of high-risk flaws rose by 4 per cent, according to Redmond's security researchers.

Which flaws feature in attacks, and their severity, are a much better guide to risk than simply counting the number of vulnerabilities. Microsoft-related problems were held responsible for six of the top 10 browser-based vulnerabilities attacked on machines running Windows XP in the second half of 2008, compared to none on PCs running Windows Vista. The most attacked vulnerabilities involved a flaw in Windows graphics rendering engine (MS06-01) and a RealPlayer console vulnerability. An Adobe Flash vulnerability was the single most common way of attacking Vista machines, with the RealPlayer console flaw cropping up at number three.

"Newer versions of Microsoft software are more secure than previous versions," the software giant said, neatly avoiding the awkward point that supposed security improvements with Vista have made the operating systems slower and more intrusive, (largely thanks to permitted application dialogue pop-ups), contributing to the desire of many to stick with or downgrade to XP.

Security isn't everything, even though evidence from Microsoft suggests that Vista is more resistant to malware. The infection rate of Windows Vista SP1 is 60.6 percent less than that of Windows XP SP3, the software giant reports.

Thomas Kristensen, chief technology officer at security notification firm Secunia, said that poor updating of third-party software makes non-Microsoft vulnerabilities an attractive target for hackers.

“We don't track actual exploits but recently we have been in close dialogue with a number of financial institutions and others who regularly do deal with actual e-crime,” Kristensen told El Reg. “The picture described by them clearly shows that the criminals focus more and more on third-party vulnerabilities and less on Microsoft vulnerabilities.”

“If you look at some of the recent stats from Secunia the reason should be obvious, even the security conscious Secunia PSI and OSI users are generally slower at updating their third party software than their Microsoft software,” he added.

Microsoft's study also warns of a "growing tide" of rogue security software (AKA scareware) applications, examples of which appear high up on Redmond's threat index. For example, two rogue families, FakeXPA and FakeSecSen, were detected on more than 1.5 million computers running Microsoft's malicious software removal tool, making them among the top 10 threats of the second half of 2008. In addition, Renos, a malware strain used to push separate scareware applications, was picked up on 4.4 million Windows PCs in the second half of 2008, an increase of two-thirds over the first six months of the year.

Lastly the report found that lost and stolen equipment was the cause of half the data loss problems publicly reported in the second half of last year.

The latest (sixth) edition of Microsoft's Security Intelligence Report can be found here. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
Webcam hacker pervs in MASS HOME INVASION
You thought you were all alone? Nope – change your password, says ICO
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Meet OneRNG: a fully-open entropy generator for a paranoid age
Kiwis to seek random investors for crowd-funded randomiser
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.