[Infowarrior] - On Security, Microsoft Reports Progress and Alarm
Richard Forno
rforno at infowarrior.org
Mon Nov 3 13:31:55 UTC 2008
November 3, 2008
On Security, Microsoft Reports Progress and Alarm
By JOHN MARKOFF
http://www.nytimes.com/2008/11/03/technology/companies/03security.html?_r=1&oref=slogin&pagewanted=print
Microsoft plans to report on Monday that the security of its Windows
operating system has significantly improved, while at the same time
the threat of computer viruses, frauds and other online scourges has
become much more serious.
The company blames organized crime, naïve users and its competitors
for the deteriorating situation.
In the latest edition of its twice-a-year “Security Intelligence
Report,” Microsoft said that the amount of malicious or potentially
harmful software removed from Windows computers grew by 43 percent
during the first half of 2008.
The company said improvements in security for its Windows Vista
operating system and security updates to the previous Windows XP
system had made such software a less attractive target for attackers.
Instead they have shifted their attention to security holes in
individual programs.
During the first half of the year, 90 percent of newly reported
vulnerabilities involved applications, and only 10 percent affected
operating systems, according to the report.
Microsoft executives said they were pleased with the progress made
since the company was shaken by a series of destructive programs that
spread rapidly around the world over the Internet beginning in 2003.
But they said that unless software development practices change
throughout the industry, any improvements in the security of Windows
would be meaningless.
“This story is real,” said George Stathakopoulos, general manager for
Microsoft’s Security Engineering and Communications group, referring
to the improvement in the company’s engineering practices. “Now we
have a third-party problem and it’s something we have to go solve.”
Security researchers said they were sympathetic to Microsoft’s plight.
“The only thing that Microsoft can patch is their own software,” said
Patrik Runald, chief security adviser for F-Secure, a computer
security firm in Finland. “That’s not what the bad guys are using to
get into computers these days. It’s certainly a challenge.”
Microsoft and the computer industry have also been unable to solve the
so-called dancing pony problem. That refers to the propensity of many
computer users to click on enticing links in their e-mail or to visit
seductive but malicious Web sites, leaving them vulnerable to Trojan
horse downloads and other infections.
Over the last three years the computer security industry has been
fighting a losing battle, as the ability of computer criminals to
profit from identity theft and a variety of other scams has led to the
development of a robust underground industry generating viruses and
other so-called malware.
Microsoft has tried to combat the problem by building a variety of
safeguards into its operating systems and its Internet Explorer
browser, with mixed success. The User Account Control feature of
Windows Vista, which popped up an endless stream of warnings that
irritated users, proved to be one of the key factors in the poor
reception for Vista. Last week in Los Angeles, the company said it had
entirely reworked the user interface of its new Windows 7 operating
system to minimize user frustration.
In comparing Web browser vulnerabilities in Windows XP and Windows
Vista in the first half of the year, the new report found that while
Microsoft could be blamed for half of the top 10 vulnerabilities in
Windows XP, the top 10 browser vulnerabilities under Vista all came
from third-party add-on software from companies like Apple and
RealNetworks.
A companion report published by Jeffrey R. Jones, a Microsoft security
director, claims that Microsoft is fixing security-related bugs about
three times as fast as three of its rivals: Apple, Ubuntu and Red Hat.
An Apple spokesman, Bill Evans, said Microsoft had previously issued
similar reports and declined to comment beyond saying that the data
was not supported by users’ experience of infections.
Microsoft has a unique vantage point from which to monitor the world
of malware and other threats because it receives automated data both
from free software it has given to users, like the Malicious Software
Removal Tool, and from specialized Internet reporting systems that
monitor threats. It also receives data about crashes on more than a
half-billion personal computers.
The current report indicates that malware infection rates are
generally higher in developing countries and regions than in developed
ones. Infection rates range from 1.8 for every 1,000 computers in
Japan to above 76.4 for every 1,000 in Afghanistan. The United States
had an infection rate of 11.2 infected computers for every 1,000
scanned, an increase of 25.5 percent in the last six months.
More information about the Infowarrior
mailing list