News

Bugs Are Up, Microsoft Security Report Says

New attack vectors and methods for hacker intrusion, it seems, are popping up every few months.

• By Jabulani Leffall
• 04/23/2008

So what's the good news?

Microsoft appears to be acknowledging such issues and is taking steps to protect customers and educate channel partners and end users. That's the opinion of Andrew Storms, director of IT security operations at San Francisco-based nCircle Network Security.

Like many IT pros, security consultants and prognosticators, Storms applauded what he called the "forthrightness" of findings in Redmond's semi-annual Security Intelligence Report (SIR). The fourth volume of the SIR report, released on Tuesday, was derived from information gathered in the latter half of 2007.

"Who better to tell us what the attack vectors are than Microsoft themselves," Storms said. "There simply is no other vendor right now that matches anywhere near the resources that Microsoft is investing in their security development lifecycle. While some vendors release metrics to boast their own security software, this is an admirable thing because these numbers presented aren't entirely beautifying for Microsoft."

Indeed the numbers aren't flattering, revealing that an astounding 57 percent of all publicly disclosed breaches are caused by lost or stolen systems. Only 13 percent of breaches in the same period were caused by active hacking, as was the case with grocery chain Hannaford Bros. last month.

Another alarming finding was a 300 percent increase in the number of Trojan bug downloaders and droppers. Experts from all corners of the IT security community say this and other Web-based attacks, such as phishing, pose major risks to networks, enterprise systems and information.

The study also revealed a 66.7 percent uptick in the presence of unsolicited software detection programs compared with the previous year. The authors of the report said that such programs "may impact user privacy or security by performing actions the person may not want." The uptick was reported for the period between July 1 and Dec. 31, in which there was a total of 129.5 million instances where potentially unwanted software was located on the operating systems and workstations of end users.

Storms called this development intriguing.

"[This] represents a fundamental issue that both enterprises and consumers have been facing for many years, but really is only beginning to be understood," he said. "The areas of configuration and policy compliance are baseline concepts that need addressing. Even in enterprises where a common operating environment is the basis for the computing infrastructure, once a system leaves the nest of Information Technology department, it changes dramatically."

The SIR's release comes as Redmond continues to encourage researchers to canvas Microsoft programs, including its online services, for security bugs, provided they "responsibly" disclose all and any bugs to Microsoft.

"Because we will not pursue legal action against researchers who report vulnerabilities to us responsibly, we hope to encourage those who want to help us protect customers to feel free to do so without fear of repercussions," wrote Microsoft Security Response Communication Manager Bill Sisk, on late Tuesday in an e-mail statement. "As we have done for many years, we continue to work closely with security researchers and encourage responsible disclosure of vulnerabilities in our products as well as for online services."

The four volumes of Microsoft's SIR report can be downloaded here.