In the latest edition of its twice-yearly Security Intelligence Report, Microsoft reports that the security gains it made in Windows Vista have paid off and that its operating system dramatically more secure than previous versions and competing products. However, electronic PC attacks still grew by 43 percent in the first half of 2008. The culprit? Windows applications made by other companies.
"Now we have a third-party problem and it's something we have to go solve," said Microsoft Security Engineering and Communications general manager George Stathakopoulos.
In a related report, H1 2008 Deskop OS Vendor Report, Microsoft security director Jeff Jones noted that of the major OS vendors--Apple, Microsoft, Red Hat, and Ubuntu--Microsoft fixed security bugs far more quickly than the competitors. And its latest OS, Windows Vista, had the fewest vulnerabilities in the first half of 2008. (Its previous OS, Windows XP, had the second fewest.) Vulnerabilities on rival Mac OS X and Linux systems were generally several times as voluminous, and Mac OS X suffered from the most problems by far. It had twice as many serious vulnerabilities as Vista and seven times the total vulnerabilities.
While Apple likes to talk up the quality of its products, the company is also the slowest to patch. And Microsoft patches vulnerabilities three times faster than does Apple.
"Combined, \[OS\] vendors fixed 585 vulnerabilities in H1 2008," Jones notes. "Red Hat fixed the most issues (292) across all of the products they support and Microsoft fixed the fewest issues (58). Roughly 90% of Microsoft issues were fixed within a day of public disclosure - relatively good news for Microsoft customers."
"While Windows Vista users saw the fewest vulnerabilities in 1H08 at 21, Windows XP SP2 users had cause for celebration as well," Jones continues. "With 26 vulnerabilities fixed in 1H08, Windows XP experienced a 25 percent reduction from the previous year. After excluding optional (and uncommon) components from the Linux distributions, Ubuntu was next lowest with 85 vulnerabilities, followed by \[Red Hat\] with 106 and Mac OS X 10.5 with the most at 138 vulnerabilities."
While Microsoft's success with Windows security--the result of a 2003 overhaul in which the company reengineered all of its products with security threat modeling as a core tenet--should be celebrated, electronic attacks on PCs still grew dramatically this year. What gives? It turns out that computer users are still succumbing to the so-called "dancing pony" problem, where an email arrives with a link to a malicious Web site. Microsoft has worked to secure its Web browser, Internet Explorer, as well. But increasingly, these attacks are taking advantage of third party application vulnerabilities, and not issues with the browser or OS. And the biggest culprits are companies like Apple and RealNetworks.
That's right: In addition to creating the most-often-patched operating system (which it then releases patches for at the slowest rate in the industry), Apple's insecure application software also affects users of the market leader, Windows. According to Microsoft, none of the top 10 vulnerabilities in Windows Vista this year were related to the OS or browser; they were all caused by third party applications. (Meanwhile, 5 of the top 10 vulnerabilities in Windows XP are browser or OS related.)
The new version of the Security Intelligence Report will be released sometime today, Microsoft says.