• Article

Security

The Microsoft Security Intelligence Report

Tim Rains

 

At a Glance:

  • Trends in software vulnerability disclosures, exploits, and malware
  • Threat impact for different versions of Windows
  • Most- and least-infected areas of the world

Data from hundreds of millions of Internet-connected systems and some of the world's busiest online services gives Microsoft a unique view of the security threats facing Internet users today.

Microsoft shares this data twice a year in its Security Intelligence Report (SIR). Contributors to the report include the Microsoft® Malware Protection Center (MMPC), the Microsoft Security Response Center (MSRC), the Trustworthy Computing (TwC) group, as well as numerous other product groups. The SIR provides an in-depth view of recent trends in software vulnerability disclosures, malicious software and potentially unwanted software, such as spyware and adware. The report also includes details on how various versions of the Windows operating system have been performing within the threat landscape and which regions of the world are most infected with malware and other intrusive software. The latest version of the report, which focuses on the trends observed in the first half of 2007, includes a new section on software vulnerability exploits. If computer security is your responsibility or is of interest to you, the SIR will be valuable reading, as it is designed to help inform you about Internet-related threats.

The latest SIR reveals that security researchers are finding more vulnerabilities in software from all vendors. In fact, over 3,400 new software vulnerabilities were disclosed in the first half of 2007 alone! Yet, despite this significant number, the overall percentage of operating system vulnerabilities being disclosed is declining.

What does this mean? One possibility is that security researchers are focusing more on applications because operating system security has continued to improve. Moreover, since the number of new applications is outpacing the number of new operating systems, application proliferation is likely a driving force behind these recent vulnerability disclosure trends.

During 2006, 29.3 percent of known vulnerabilities in Microsoft products had publicly available exploit code while, as of August 1, 2007, only 20.9 percent of known vulnerabilities had publicly available exploit code. Though the number of vulnerabilities continues to increase, the ratio of exploit code remains steady and has even shown a slight decline. Exploit code for newer products is harder to find. We conducted a product-by-product comparison that suggests newer versions of products are at less risk than product versions that have been in the market longer. On average, exploitability decreases across product lifetimes, meaning that for a majority of products, later versions are less exploitable. This is most apparent for Windows and for the Microsoft Office System products. Later versions of both (Windows Server® 2003, Windows Vista®, Office 2003, and the 2007 Office system) showed a distinct decrease in the number of vulnerabilities through the product lifetime.

The SIR offers valuable insights into trends in malicious software (known as malware). These trends are an indication of the tactics currently being used to attack users. Looking at data from some significant primary sources, including Microsoft Exchange Hosted Services (EHS), Windows Live® OneCare and Windows Live OneCare safety scanner, Windows Malicious Software Removal Tool (MSRT), and Windows Defender, gives us a view of the threat landscape from a few different vantage points.

Social engineering plays an increasing role in malware distribution. Such attacks are often effective at tricking users into taking some action that may diminish the effectiveness of security mechanisms. Data from EHS indicates that during the first half of 2006, classic e-mail worms comprised the single largest e-mail-borne threat, representing 95 percent of the malware detected in e-mail. Beginning in the second half of 2006, this number dropped to 49 percent and remained consistent throughout the first half of 2007 (see Figure 1). Phishing scams and e-mail containing malicious IFrame attacks accounted for 27 percent of e-mail malware detections in the second half of 2006 and rose to 37 percent in the first half of 2007. Downloader Trojans carried in e-mail peaked at 20 percent for the second half of 2006, dropping to 7 percent in the first half of 2007.

Figure 1 Composition of infected e-mail in the first half of 2007

Figure 1** Composition of infected e-mail in the first half of 2007 **(Click the image for a larger view)

Telemetry data collected from Windows Live OneCare and Windows Live OneCare safety scanner (safety.live.com) indicates that infection rates of viruses, backdoors, password stealers, and data-theft Trojans increased in the first half of 2007.

MSRT is designed to help identify and remove prevalent malware from customer computers. It is primarily released as a critical update through Windows Update (WU), Microsoft Update (MU), and Automatic Updates (AU). Over the past two years the MSRT has removed 50.3 million infections from 20.5 million computers worldwide. The total number of MSRT executions to date is in excess of 7.4 billion; this includes 1.9 billion executions in the first half of 2007.

The MSRT is a great source of data for Microsoft and its customers. Infection rates observed by the MSRT are significantly lower among Windows Vista and Windows XP SP2 systems than among older Windows operating systems, as shown in Figure 2. The MSRT has cleaned malware from 60 percent fewer computers running Windows Vista than from computers running Windows XP SP2, and 91.5 percent less malware than from computers running Windows XP without any service pack installed. Interestingly, the number of disinfections per computer has remained steady over time, with an average of 2.2 disinfections per infected computer.

Figure 2 OS versions cleaned by the MSRT in the first half of 2007

Figure 2** OS versions cleaned by the MSRT in the first half of 2007 **(Click the image for a larger view)

As a general rule, more malware is found, proportionally, by the MSRT in developing countries than in developed countries. For example, the most infected countries in Europe are Albania and Turkey, while the least infected are Italy and Finland. In the Asia-Pacific region, the most infected are Mongolia and Thailand, while the least infected are New Zealand and Japan. The United States is proportionally less infected than most of the countries and regions in the Americas, and its infection rate is roughly the same as the worldwide average. On average, the MSRT cleaned 1 out of every 216 computers during the first half of 2007.

Windows Defender runs on Windows Vista, Windows XP, and Windows Server 2003. Overall, 50.7 million pieces of potentially unwanted software were detected during the first half of 2007, with 2.8 times fewer pieces detected on computers that were running Windows Vista than on those that were running Windows XP SP2. Likewise, the number of detections of potentially unwanted software on computers running Windows Vista was half that found on computers running Windows Server 2003.

You may be wondering by now, as interesting as all these statistics may be, how do they help you better protect yourself and your environment? In the latest SIR, each major section is prefaced with a summary of the highlights of that section and a set of "Strategy, Mitigations, and Countermeasures." You can use these lists to quickly learn about the key findings in each section of the report.

Moreover, you can use the data, insights, and guidance offered in the SIR to assess and improve your current security posture given the ever-changing threat landscape. The full report, which offers strategy, mitigations, and countermeasures based on the key findings, can be downloaded from microsoft.com/sir.

Tim Rains is a Product Manager in the Microsoft Malware Protection Center (MMPC). He manages the production of the Microsoft Security Intelligence Report (SIR). The authors of the SIR are Jeff Jones (Director, Microsoft Trustworthy Computing Group), Jeff Williams (Director for the MMPC), Mike Reavey (Group Manager, Microsoft Security Response Center), and Ziv Mador (Senior Program Manager and Response Coordinator, MMPC).

© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.