• Embed Doc
  • Copy Link
  • Readcast
  • Collections
  • CommentGo Back
Download
 
 
Microsoft Security Intelligence Report volume 6 (July through December 2008)
Key Findings Summary
Volume 6 of the Microsoft® Security Intelligence Report provides an in-depth perspective on softwarevulnerabilities (both in Microsoft software and in third-party software), software exploits, and malicious andpotentially unwanted software trends observed by Microsoft during the past several years, with a focus on thesecond half of 2008 (2H08)
1
. The Report also contains new information on rogue security software, browser-basedexploits, popular document format exploits, and updated information on security and privacy breaches.This document is a summary of the key findings of the report. The full Security Intelligence Report also offersstrategies, mitigations, and countermeasures. It can be downloaded from http://www.microsoft.com/sir. 
Rogue Security Software
 
The prevalence of rogue security software has increased significantly over the past three periods (see the categoryMisc. Trojans in Figure 16 below). Rogue security software uses fear and annoyance tactics to convince victims to
pay for “full versions” of 
the software in order to remove and protect themselves from malware, to stop thecontinual alerts and warnings, or both. Examples of rogue security software social engineering techniques,including screenshots, can be found in the full Security Intelligence Report. The Report also features a focus sectionon legal actions taken against rogue security software distributors.
1
 
The nomenclature used throughout the report to refer to different reporting periods is nHYY, where nH refers to either the first (1) or second (2) half of the year, andYY denotes the year. For example, 2H08 represents the period covering the second half of 2008 (July 1 through December 31), while 1H08 represents the periodcovering the first half of 2008 (January 1 through June 30).
 
 
 
Industry Vulnerability Disclosures
Vulnerabilities are defined as weaknesses in software that allow an attacker to compromise the integrity,availability, or confidentiality of that software. Some of the worst vulnerabilities allow attackers to run arbitrarycode on compromised systems. Vulnerability data in this section was gathered from third-party sources, published
reports, and Microsoft’s own data
.
 
Across the IT industry, the total number of unique vulnerability disclosures decreased in 2H08, down3 percent from 1H08. For 2008 as a whole, total disclosures were down 12 percent from 2007.
 
In contrast, vulnerabilities rated as High severity by the Common Vulnerability Scoring System (CVSS)
2
 increased 4 percent over 1H08; roughly 52 percent of all vulnerabilities were rated as High severity.For 2008 as a whole, the total number of High Severity vulnerabilities was down 16 percent from2007.
Figure 1. Industry-wide vulnerability disclosures by CVSSv2 severity, by half-year, 1H03
 –
2H08
 
Compounding the seriousness of the High severity vulnerabilities, the percentage of disclosedvulnerabilities that are easiest to exploit also increased; 56 percent required only a Low complexityexploit
3
. 
 
The proportion of vulnerabilities disclosed in operating systems across the industry continued todecline; more than 90 percent of vulnerabilities disclosed affected applications or browsers (8.8percent of vulnerabilities affected operating systems; 4.5 percent affected browsers; 86.7 percentaffected applications or other software).
 
2
 
CVSS is an industry standard for assessing the severity of software vulnerabilities. See http://www.first.org/cvss/  for more documentation and details.
 
3
 
Definition from: Mell, Peter, Karen Scarfone, and Sasha Romanosky. “A Complete Guide to the Common Vulnerability Scoring Syst
em
Version 2.0,”(
http://www.first.org/cvss/cvss-guide.html
 
)section 2.1.2.
 050010001500200025003000350040002H031H042H041H052H051H062H061H072H071H082H08LowMediumHigh
 
 
Figure 2. Industry wide operating system, browser and other vulnerabilities, 2H03
2H08
Microsoft Vulnerability Details for 2H08
In 2H08 Microsoft released 42 security bulletins which address 97 individual CVE-identified vulnerabilities, a 67.2percent increase over the number of vulnerabilities addressed in 1H08. For the full year of 2008, Microsoftreleased 78 Security Bulletins addressing 155 vulnerabilities, a 16.8 percent increase over 2007.
Figure 3. Security Bulletins released and CVEs addressed by half-year, 1H05-2H08
-5001,0001,5002,0002,5003,0003,5004,0002H031H042H041H052H051H062H061H072H071H082H08All OtherBrowser VulnerabiiltiesOS Vulnerabilities0204060801001201H2H1H2H1H2H1H2H2005200620072008Unique CVEsSecurity Bulletins
of 00

Leave a Comment

You must be to leave a comment.
Submit
Characters: ...
You must be to leave a comment.
Submit
Characters: ...