Decline In Vulnerabilities Belies Threat Increase, Microsoft Says in New Security Report

April 29, 2008 Alex Woodie

Despite a 15 percent decline in new security vulnerability disclosures during the second half of 2007, cybercriminals continued to successfully mine the Internet for profit, primarily by planting Trojan horses and other pieces of malicious code that steal people’s identities and perform other works of unpleasantness. These are the conclusions of Microsoft‘s latest Security Intelligence Report (SIR), which it released at the Infosecurity Europe 2008 conference in London yesterday.

Since late 2006, Microsoft has been collecting security-related data it pulls from 450 million computers around the world–perhaps yours–and compiling it into a comprehensive view of IT security, with a concentration on software vulnerabilities, exploits, malicious code, and another category called “potentially unwanted software.”

From July through December 2007, Microsoft witnessed a sudden turnaround in the prevalence of new security vulnerabilities, (per the Common Vulnerability Scoring System (CVSS) method. After several years of increasing vulnerabilities, the number of new vulnerabilities suddenly dropped by 15 percent from the year before to 2005 levels, leaving 2006 to likely be the high-water mark for vulnerabilities during the current Internet epoch. Those findings largely mesh with the findings of another security report issued by IBM‘s Internet Security Systems‘ Team X-Force, which found a 5 percent decline in vulnerabilities in 2007.

However, even as vulnerabilities in system and application software declines, Microsoft’s security researchers found the prevalence of malware and cybercrime increased during the second part of 2007. The number of Trojan downloaders–pieces of malware that are planted on Web pages or in e-mail messages that allow hackers to surreptitiously install other, more sophisticated pieces of malware on victims’ computers–increased by 300 percent.

Microsoft also reports that it found a 66.7 percent increase in the number of potentially unwanted software, which Microsoft defines as programs that may impact user privacy or security by performing actions the person may not want. A total of 129.5 million pieces of potentially unwanted software were found on users’ systems during scans from July to December.

Financial gain by organized crime is driving the latest increase in security concerns, according to Microsoft. “This latest volume supports our position that today’s threats continue to be motivated by monetary gain, and it also gives us a solid view of vulnerability and exploit trends,” says Vinny Gullotto, general manager of the Microsoft malware protection center.

These criminal organizations are becoming more sophisticated in their use of infected networks of computers, called botnets, and the spam e-mail that these computers generate to try to lure new victims to malicious Web sites, which is also called phishing. Microsoft noted the botnet handlers have become quite adept at adapting their spam pitches to play on basic human instincts like fear, guilt, desire, empathy, and sex, as well as current events. For example, the Storm botnet, perhaps the most infamous malicious network, got its name from an e-mail subject line used as it ramped up its campaign in January 2007: “230 dead as storm batters Europe.” Click on the link, however, and your computer becomes just another drone in the botnet army.

In the end, Microsoft’s findings highlight the need for more security education. These include the basic “duh” activities: activate a firewall, install and update antivirus and anti-malware software, and don’t click on suspicious e-mail subject lines.

In the data center, good security practices means something else. While vulnerabilities, exploits, and compromises gain headlines, only a quarter of security breaches are due to exploits, malware, and hacking. The vast majority of breaches are the result of the absence or failure of proper information handling or physical security procedures, such as lost or stolen laptops or backup tapes. For data center personnel, better security policies and encryption are the keys to better security.