Wednesday, 5 November 2008

Security: Apps are the new OS


Earlier this week Microsoft released their bi-annual Security Intelligence Report  on security trends and detection rates across the industry for Operating systems and applications. This report focuses on industry data and trends for the past six-months on malware data, software vulnerability disclosure data and vulnerability exploit data.


The full report is enormous at 150 pages, while the key findings summary document is very digestible and makes incredible reading.  From the following key results; it appears that at least from Microsoft's view of the world, the security landscape is changing;


  • The total number of unique vulnerability disclosures across the industry decreased in 1H08, down 4 percent from 2H07 and down 19 percent from 1H07.
  • Vulnerability disclosures in Microsoft software in 1H08 continued a multi-period downward trend, both in terms of all disclosures and relative to total industry disclosures.
  • Vulnerabilities rated as High severity increased 13 percent over 2H07.
  • The percentage of disclosed vulnerabilities rated as Low complexity (and therefore easiest to exploit) increased, with 56 percent receiving a complexity rating of Low.
  • The proportion of vulnerabilities disclosed in operating systems continues to decline; more than 90 percent of vulnerabilities disclosed in 1H08 affected applications, rather than operating systems.


Initially the data seems a little contradictory. Overall, vulnerability disclosures are moderately lower than last year and much lower than 2007. However, the number of  vulnerabilities rated as HIGH and easy to exploit increased from both 2008 and 2007. Meaning that there are less exposed security holes in the OS; but there are more serious, more virulent and more dangerous security exploits that are easier for people to deploy  in web pages and applications in 2008 than in 2007. 


Simply put, your OS is more secure, but the world (the internet) is a more dangerous place.


That said, you have to be a little careful here as the this report does read a little like an advertisement for Vista and the reported security vulnerabilities for Vista (especially 64-bit) are much lower than for XP. Quoting from this document;


  • The infection rate of Windows Vista SP1 is 48.8 percent less than that of Windows XP SP3.
  • Windows Vista is 56.2 percent less than that of Windows XP SP2.


These are big numbers, but I still think that this is not the REAL story here.  Reading through this large document, you find that  the number of security vulnerabilities has increased for 3rd party applications, not the Operating  System.  The report suggests that a staggering 90% of security vulnerabilities are related to applications. If this is true, then Microsoft has a very powerful story here; our OS is secure, but your applications are not.


In terms of security nightmares, your applications may be the new Windows 98.


The full report and the key findings summary can be found here;


And, the archive and collection of previous Security Intelligence reports can be found here;



No comments: