News

Microsoft Security Report Points Fingers at ISVs

The overall number of Windows security holes has declined in the last year by 8.4 percent to about 2,500 vulnerabilities, according to a new Microsoft report.

For a big target like Microsoft, that's good news. It's one of the findings in the eighth edition of Microsoft's Security Intelligence Report, published today, which draws its data mostly from the second half of 2009. The report, which also tracks vulnerabilities in third-party software, can be downloaded here.

The bad news: almost to a person security experts are saying that it's time for independent software vendors (ISVs) who leverage Windows components to step up their own security strategies. And Microsoft thinks so too. Newer Windows operating systems are less vulnerable to attack. Instead, hacker and botnet attacks have shifted toward targeting third-party programs and utilities running on Windows.

In particular, third-party "auto updaters don't work for an enterprise environment," according to Nancee Melby, director of product marketing at Shavlik Technologies.

"An enterprise can't rely on faith that critical security updates are deployed in a timely fashion," she added. "It's time for the third-party vendors to look at Microsoft as an example and stop repeating the mistakes of the past."

Around 45 percent of attacks in 2009 exploited third-party apps on Windows XP. With Vista and Windows 7, that number was closer to 75 percent, according to the report.

Adobe's patching frequency has proved to be a case in point. Microsoft's report identified Adobe Reader as a consistently vulnerable application for Windows 7 users. Three of 10 troublesome third-party apps came from Adobe, according to the report.

"It's clear Microsoft has learned that Windows is often guilty by association -- justified or not -- when third-party apps have security problems," said Don Leatham, senior director of solutions and strategy at Lumension. "Microsoft has a strategy in place where they opened up the WSUS [Windows Server Update Services] APIs to allow ISVs to provide patches via Microsoft's corporate patching technology. They have done essentially the same for the System Center platform, but unfortunately there has not been widespread adoption of these capabilities by the ISV community."

As in Microsoft's previous security reports, the numbers show that more recent versions of Windows operating systems are less vulnerable to attack. Nevertheless, Microsoft's Malicious Software Removal Tool detected malware on eight of every 1,000 computers scanned in the United States during the second half of 2009. The United States was also the No. 1 target of rogue malware, according to the report.

"The only thing that Microsoft has done with Vista and Windows 7 is to make it much harder to use vulnerabilities in the design of the operating system to be the vector of attack," commented Phil Lieberman, president of Lieberman Software.

With the advent of cloud computing, Microsoft will face the additional challenges of managing their datacenter infrastructure and the security of their customer's data, while providing transparency on security policies.

"Microsoft must also get into the business of helping customers implement segregation of duties, physical security controls using mutual authentication, for instance, machine-to-machine verification and certificate management," Lieberman said.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

comments powered by Disqus

Featured

  • Compare New GitHub Copilot Free Plan for Visual Studio/VS Code to Paid Plans

    The free plan restricts the number of completions, chat requests and access to AI models, being suitable for occasional users and small projects.

  • Diving Deep into .NET MAUI

    Ever since someone figured out that fiddling bits results in source code, developers have sought one codebase for all types of apps on all platforms, with Microsoft's latest attempt to further that effort being .NET MAUI.

  • Copilot AI Boosts Abound in New VS Code v1.96

    Microsoft improved on its new "Copilot Edit" functionality in the latest release of Visual Studio Code, v1.96, its open-source based code editor that has become the most popular in the world according to many surveys.

  • AdaBoost Regression Using C#

    Dr. James McCaffrey from Microsoft Research presents a complete end-to-end demonstration of the AdaBoost.R2 algorithm for regression problems (where the goal is to predict a single numeric value). The implementation follows the original source research paper closely, so you can use it as a guide for customization for specific scenarios.

  • Versioning and Documenting ASP.NET Core Services

    Building an API with ASP.NET Core is only half the job. If your API is going to live more than one release cycle, you're going to need to version it. If you have other people building clients for it, you're going to need to document it.

Subscribe on YouTube