P. 1
Microsoft Security Intelligence Report Volume 7 Jan-Jun2009

Microsoft Security Intelligence Report Volume 7 Jan-Jun2009

|Views: 40|Likes:
Published by mxxh

More info:

Published by: mxxh on Oct 20, 2011
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





Welcome to the seventh installment of Microsof’s Security Intelligence Report, which

I hope you will fnd is the most extensive and comprehensive edition to date. Te
cover story in this report looks back at the major threats that have attacked
customers over the last 10 years, and then the report drills deeply into the current
threats that you need to understand and includes what you can do to best manage your risks.

At Microsof, we remember the pain past incidents caused our customers and we refect on them
frequently. In particular, the Slammer and Blaster attacks that disrupted the Internet in 2003 are vivid
reminders of the responsibility we have at Microsof to ensure our products are as secure and privacy-
enhanced as possible.

As you can see from the timeline above, 2003 and 2004 were difcult times. But, you can also see that
since then, major security incidents have become less and less frequent. From the data in this report,
you’ll also note that the scope and impact of major events have changed, as well. For example, from
the press surrounding the Confcker worm that has been attacking customers over the past year, it’s
easy to conclude that Confcker is just as widespread and impactful as Slammer or Blaster—but in
most respects, it hasn’t been. In 2003, Blaster became one of the most prevalent threats impacting
home PC users. Six years later, Confcker didn’t even make the Top 10 list among this audience. I don’t
want to minimize the pain that many of our customers experienced fghting Confcker, because, as
you’ll read in the report, it was the top threat detected and cleaned in enterprises in the frst half of
2009, but Confcker emerged in a much diferent sofware industry than Slammer and Blaster.

Indeed, the sofware industry has matured a great deal since the days of Slammer and Blaster. Since
2003, the sofware industry has improved its ability to mobilize and coordinate resources to fght
threats. Industry partnerships such as the Microsof Security Response Alliance (MSRA)1

didn’t exist
when criminals perpetrated the Slammer and Blaster attacks. Tese industry partnerships, along with
others like the Industry Consortium for Advancement of Security on the Internet (ICASI) have all
been founded since 2003 to help protect customers and assist the sofware industry in responding to
major security events faster and more efectively -- because they allow members to share information
and coordinate eforts. Te Confcker Working Group (CWG) was founded earlier this year, estab-
lishing a new model for how the collective industry can work together to mitigate global threats.

Te industry was able to proactively get ahead of Confcker by discovering the vulnerability before
attackers could use it in widespread attacks. Te Security Science team at Microsof was able to fnd
the MS08-067 vulnerability, which Confcker uses to propagate, and work with the Microsof Security
Response Center (MSRC) to release its update before attackers could use it for a Blaster-type attack.
Our industry partners helped protect many customers from attack via the Microsof Active Protections


MSRA includes programs like the Global Infrastructure Alliance for Internet Safety (GIAIS), the Microsof Virus Initiative (MVI), the Virus Informa-
tion Alliance (VIA), the Security Cooperation Program (SCP), and the Microsof Security Support Alliance (MSSA)


Microsoft Security Intelligence Report

Program (MAPP). MAPP supplies Microsof vulnerability information to security sofware partners
prior to security update releases from Microsof. By obtaining security-vulnerability information
earlier from the MSRC, partners gain additional time to build customer sofware protections ahead
of Microsof’s public security update release. Te program serves security providers, particularly
vendors of security sofware or devices, such as anti-virus, network-based intrusion detection and
prevention systems (IDS/IPS), or host-based intrusion prevention systems (HIDS/HIPS). Tis program
enabled the majority of MAPP partners to provide protections to their customers for Confcker
24 hours afer the MS08-067 security update was released. Tis meant that many customers were
protected up to a week earlier than traditionally possible, and certainly much earlier than customers
could obtain such defense-in-depth protections and threat mitigations in 2003.

With the vulnerability that Slammer exploited, many administrators didn’t know whether they needed
to apply a security update or that it had to be applied manually. Today, customers are notifed and protected
much faster; multiple communications channels exist to help customers fnd and understand information on
security vulnerabilities. Security advisories help draw attention to security issues as they unfold, and pro-
vide customers with critical information before security bulletins become available. Microsof’s advanced
notifcation service provides customers with an insight into the number and nature of security updates
that Microsof will be releasing each month so they can plan more efectively for the deployment of the
updates. Security bulletins provide information on vulnerabilities, along with workarounds and
mitigations. As you’ll read in this report, over 96 percent of all bulletins contain workarounds and/or mitiga-
tions to give customers more information, options and time to make better deployment decisions.

Keeping Microsof sofware up-to-date is easier today than it was in the Slammer/Blaster era. With auto-
matic updates for consumers and small businesses, and Windows Server Update Services and System
Center Confguration Manager for enterprises, plus the availability of many third-party updat-
ing services, customers have quicker access to security information and more help deploying security
updates than ever before.

If you aren’t familiar with some, or any of these advancements, please review the Microsof Security
Update Guide that we published earlier this year. It will help you fnd and use all of the information,
programs, tools and communications channels that Microsof uses to help protect its customers. Te
guide can be found here: http://www.microsof.com/downloads/details.aspx?familyid=C3D986D0-

Te progress that the sofware industry has made to better protect systems and customers might be small
consolation to the users of those 5 million systems that were infected with Confcker in the frst half of
2009. Still, it is a signifcant step forward, given that more than 100 times as many systems were protected
from Confcker. Tis is in stark contrast to the Slammer and Blaster attacks of 2003 where many, many
more systems were infected. Te industry will continue to work together to make the frequency, scale
and scope of emerging threats as minimal as possible.

We thank you for your help and eforts to protect the ecosystem, and look forward to continuing to work
with you to create a safer, more trusted Internet.

George Stathakopoulos

General Manager, Trustworthy Computing Security

Trustworthy Computing Group

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->