Dan Griffin's Blog

Comments on security, PKI, smart cards, cryptography, and entrepreneurship.

Just read an article in this month’s TechNet magazine (not yet online) regarding the latest (1st half, 2007) Microsoft Security Intelligence Report.  A link to the latter is here.

The SIR is quite interesting; I recommend that the security conscious at least scan it.  Some comments (mostly on the key findings, which are also available in a much shorter separate document at the link above) follow:

First, the observation is made that security researchers are now targeting applications more than operating systems.  From my own perspective, this is borne out by the content at hacker cons over the past year:  on the client, research is primarily focused on the browser, plus applications such as iTunes.  Mobile devices are getting attention, as are infrastructure components such as VoIP.  Hackers are also looking at social networking sites such as Facebook and MySpace, since those represent high-profile targets, and their growth outpaces their ability to stay secure.

Second item: regarding another trend, rogue security software is one of the largest areas of malware growth.  This is referring to, for example, anti-malware utilities that are actually spyware.  Very devious, and something to keep in mind.  See p. 62 in the full report.

Third: there are a couple of juicy data points regarding running the latest and greatest software versions (Windows Vista; Office 2007). For one thing, there are various references to a (normalized) decrease in the number of malware infections on Vista, relative to previous versions of the operating system. While I don’t really doubt that will be the case, what’s missing from the report are the absolute installed-base numbers. I mean, is there a broad enough data set of users running Vista that we can make meaningful trend statements about it yet? And of those people running Vista, won’t a relatively high percentage of them be early-adopters, power-users, and the security conscious?

I did, however, have a bigger concern about a related recommendation cited in the report. The counter-measures section of Vulnerability Exploit Details (p. 19) says, “new products are at less risk to publicly available exploit code than products that have a longer time in market.” While the report doesn’t come right out and say, ‘immediately upgrade to our latest stuff and you won’t get owned’, the context of that statement is still a bit dicey! For one thing, the report states (p. 28) that one possible explanation of that trend is social changes among the exploit developer community. Therefore, this data doesn’t necessarily show that newer products are more secure.

Still, I can see why IT managers would consider upgrading if the data shows a decreased threat as a result (and it’s clearly in Microsoft’s best interest to push for this). Nevertheless, major product revisions almost always introduce two things: new features that haven’t been around long enough to prove their security, and incompatibilities with previous versions. Carefully consider the tradeoffs.

Fourth: I can understand why the report differentiates between code execution exploits and Denial of Service attacks (see p. 21). The former tend to be a much bigger concern. But I find it troubling that DoS-only exploits seem to have been entirely scrubbed from their dataset. Surely Microsoft is taking responsibility for all classes of threats against its products! De-prioritization of DoS risk, in comparison to other types of threats, is much too common in the software industry right now.

Fifth, and finally, from an anti-malware perspective, the report states that more than half of all real-time protection triggers are related to attempts to download and install ActiveX components (p. 62). I knew ActiveX was bad, but I didn’t realize it still dominated, from a malware propagation perspective, to that extent. Think twice before installing any ActiveX control.

Permalink |

No Comments »

No comments yet.

RSS feed for comments on this post. TrackBack URL

Leave a comment