Vulnerabilities are decreasing but becoming easier to exploit; Trojans are the biggest threat; and Chinese computers are infected with more browser-based exploits than anywhere else. Those are the findings of the Microsoft Security Intelligence Report, due to be released on Monday.
Covering the first half of this year, the report provides statistics compiled from Microsoft's Malware Protection Center that reveal trends about threats, breaches and infection rates.
"Industry-wide, we've seen a decrease in the last 12 months in vulnerabilities across products, [down nearly 20 percent from the year-ago period]," George Stathakopoulos, general manager of Microsoft's Trustworthy Computing Group, said in an interview.
Meanwhile, the percentage of disclosed vulnerabilities that are easiest to exploit increased, with 56 percent requiring a low complexity exploit, according to the report.
Operating system vulnerabilities continued to decline, representing about six percent of disclosed vulnerabilities with more than 90 percent found in applications.
And vulnerabilities in Microsoft software continued to trend down, by about one-third from the second half of 2007. About one-third of vulnerabilities disclosed in Microsoft software had publicly available exploit code.
Microsoft released patches for 77 security vulnerabilities during the first half of 2008, with 25 having publicly available exploit code.
The total amount of malware and unwanted software removed from computers worldwide in the first half of the year increased more than 43 percent from the second half of last year. Trojan downloaders accounted for more than 30 percent of that.
Of the computers serviced by Microsoft's Malicious Software Removal Tool, which runs on every PC that gets Windows updates, an average of 10 out of 1,000 are found to be infected worldwide, Stathakopoulos said. In the US, the infection number is 11.2 per 1,000. The lowest infection rate is in Japan, at 1.8 infected computers per 1,000, and at the other end is Afghanistan at 76 machines per 1,000, he said.
Downloaders or droppers, software that drops back doors on to computers, remained the most prevalent threat category. More than 96 percent of the computers cleaned in this category were attributed to two Trojan families: Win32/Zlob and Win32/Renos, the report said.
"Defences against viruses and spyware work pretty well," said John Pescatore, an analyst at Gartner. "But the numbers are growing for Trojans; things are getting right through the antivirus and spyware software. It's not stopping the targeted malicious executables."
The changing landscape of vulnerabilities, with social engineering attacks plaguing PCs means companies should change their strategy for how they protect the corporate network, said Don Retallack, an analyst at Directions on Microsoft.
"Companies and organisations may want to do some employee training rather than counting on [software] configuration management," he said.
The report also has some interesting statistics specific to different countries. For instance, China has a high level of browser-based exploits, accounting for 47 percent of all incidents, followed by the US with 23 percent of incidents, the report found.
China is at the top of the list because the software developers there are not as disciplined in writing code with security in mind and the huge market is an attractive target for malware writers, Stathakopoulos said.
In Brazil, password stealers dominate; viruses are big in Spain; in Italy it's unwanted software led by the peer-to-peer client Wi32/BearShare; while in Korea viruses are the biggest threat.
Talkback
"Companies should change their strategy for how they protect the corporate network".
How about the OS manufacturer change the way their OS is constructed to prevent trojans from getting in?
We can manage this problem by restricting which applications can execute on an endpoint or server - by using Application Control.
Application Control keeps out malware by proactively controlling the applications that can execute on a network servers, terminal services servers, thin clients, laptops or desktops.
By employing a whitelist approach, Application Control enables only authorised applications to run on a network, laptop or PC - facilitating security and systems management, while providing the necessary flexibility to the organisation.
It is true that antivirus software plays an important part on organizations network security.
It is also true that in many cases it’s not, for example industrial networks (clients not connected to internet) virus signatures are not updated quickly enough leaving the systems with a false sense of protection. (+ the resources consumption)
The truth is that if you are only blocking endpoint data extractions and not usage (read-execution) your network is vulnerable to be infected by the simple use of a CD or USB removable drive at any endpoint.
So, if you have in place antivirus software (signatures not up to date) or your network is unlucky enough to be a virus debutant (get it before its known) and you have endpoint security that allows usage of CDs for example. Your real protection value against trojans is 0. (+ the resources consumption)
Therefore the importance of endpoint security software in preventing virus or Trojans entrance without the luck factor.
Endpoint security software solutions should not provide one way security (meaning block only extractions) pseudo read-only because execution is also allowed.
The truth is that to be able to allow usage of removable storage devices the only method that makes sense is to authorize specific storage device to operate at a specific client for a specific duration, and monitor file extractions. Or completely disallow usage when not required.
To provide options that diminish the protection value of the software regarding Trojans or virus entrance to minus 0 does not make sense. (And is misleading by nature)
Regarding removable storage devices, effective network endpoint protection should only provide the following options to be straightforward:
a) Block (protected)
b) Authorize specific a device and monitored (block all other devices of the kind except the approved device)
c) No action taken. (Unprotected)
One could argue that as long as one way “protection” is provided as an option its fine. (You don’t have to use it)
Have you wonder how unnecessary options affect the protection value of your solution. The truth is that options always bring compromise at development.
If you need to protect your organizations assets implement endpoint security that is straightforward to your real needs and not resources consuming ,blotted, weakened by options solutions.
ator1940 is correct that the operating system design is at fault for the majority of Trojan attacks/infestations simply because so many programs and operating options require Admin or near-admin privileges in Windows. I find though that most of the issues related to security of the OS are actually the results of bad decisions made by Microsoft management.
You can't operate Windows XP Pro even with SP3 on it without having Admin level access to an awful lot of the system. The alternative Microsoft OS, Vista was worse because it aggravated the user to such an extent and more than the Trojan infestation! Instead of sticking with it, users turn off the security features due to the freaking annoyances. Perhaps with SP1 Vista operates better but I'm not willing to go through evaluating Vista again after my experiences with the RCs and the public Beta.
The second operating system defect issue is the apparent ease at which malware seems to be able to elevate its privilege level even if the user isn't operating at Admin level. There is a fundamental problem with the OS if a downloaded script or HTA program can elevate itself above the security level of the current user. I point the finger straight at Internet Explorer as the guilty party. The decision made by Bill Gates and others to push the browser into the OS was the biggest freaking "pointy-haired Boss" mistake of all software management time.
Operating ANY browser on the Internet is a security risk and as such it should be isolated as much as possible from the rest of the operating system perhaps even to the extent that it operates in its own VM. If Microsoft wants to win me back as a supporter, one thing they could do is to do exactly that. That can be done right now today EXCEPT for some previous bad decisions made by Microsoft.
They need to offer a FREE special configuration of IE8 or 9 that operates totally isolated in its own VM and operable on XP Pro, Vista and Windows 7 when its released. That would require that they open up the EULA terms enough to allow a user to run two instances of the same XP or Vista license on the SAME system, something that VPC2007 doesn't currently allow. (Again a STUPID move Microsoft!) Two more tools to stick into the mix would be the Vista firewall and the Windows Defender into the IE configuration with the VM. That likely would allow the users that cared, a means to prevent their systems from becoming netbots.