Microsoft: Less Flaws, More Threats

[VelMurugan]

Microsoft: Less Flaws, More Threats

Microsoft released its half-yearly Security Intelligence Report (MSIR), which takes an in-depth look at the security threat environment around the globe. This report, generated from data received from millions of computers around the world has some interesting revelations regarding ongoing security trends.

The report observes that while software manufacturers and security software vendors have done an exceptional job in protecting customers from security threats, there has also been an overall increase in the actual threat posed by cyber criminals and malware.

Frost & Sullivan, a security firm that had conducted a study on security threats as well, came up with similar results as Microsoft's -- lending credibility to the MSIR report. Chris Rodriguez, a security analyst from Frost & Sullivan says. "The boost in malware just goes to show that vulnerabilities and malware/exploits do not follow a direct relationship, despite the fact that malware and exploits are based on security vulnerabilities. Tracking the number of reported vulnerabilities shows the efforts of the security community to thwart attacks. Tracking the malware and exploits shows the efforts of hackers and cyber criminals."

From attaining peak in mid 2007, the number of vulnerabilities has been on a steady downfall -- apart from a slight increase in early 2008. In Q3, 2007, 63% of the vulnerabilities were classified to be of "high risk" with only a measly 3% accounting for low severity ones. One interesting aspect that has been brought to light is that there has been a considerable 43% increase in the number of potentially harmful software being removed from systems.

Another facet that has been noted is that the focus of these attackers has moved from the Operating Systems to applications. In the first half of 2008, nine out of ten newly reported vulnerabilities were designed to affect applications -- instead of the usual target; the OS. Chris Rodriguez adds, "Every application has a set number of vulnerabilities depending on how big and complex it is. When it comes down to it, they are developed by humans and lower numbers of reported vulnerabilities are simply less tested," indicating his view that vulnerabilities alone are not enough to test the security of an application.

Source : TechTree