[Infowarrior] - On Security, Microsoft Reports Progress and Alarm

Mon Nov 3 13:31:55 UTC 2008

November 3, 2008
On Security, Microsoft Reports Progress and Alarm
By JOHN MARKOFF

http://www.nytimes.com/2008/11/03/technology/companies/03security.html?_r=1&oref=slogin&pagewanted=print

Microsoft plans to report on Monday that the security of its Windows  
operating system has significantly improved, while at the same time  
the threat of computer viruses, frauds and other online scourges has  
become much more serious.

The company blames organized crime, naïve users and its competitors  
for the deteriorating situation.

In the latest edition of its twice-a-year “Security Intelligence  
Report,” Microsoft said that the amount of malicious or potentially  
harmful software removed from Windows computers grew by 43 percent  
during the first half of 2008.

The company said improvements in security for its Windows Vista  
operating system and security updates to the previous Windows XP  
system had made such software a less attractive target for attackers.  
Instead they have shifted their attention to security holes in  
individual programs.

During the first half of the year, 90 percent of newly reported  
vulnerabilities involved applications, and only 10 percent affected  
operating systems, according to the report.

Microsoft executives said they were pleased with the progress made  
since the company was shaken by a series of destructive programs that  
spread rapidly around the world over the Internet beginning in 2003.  
But they said that unless software development practices change  
throughout the industry, any improvements in the security of Windows  
would be meaningless.

“This story is real,” said George Stathakopoulos, general manager for  
Microsoft’s Security Engineering and Communications group, referring  
to the improvement in the company’s engineering practices. “Now we  
have a third-party problem and it’s something we have to go solve.”

Security researchers said they were sympathetic to Microsoft’s plight.

“The only thing that Microsoft can patch is their own software,” said  
Patrik Runald, chief security adviser for F-Secure, a computer  
security firm in Finland. “That’s not what the bad guys are using to  
get into computers these days. It’s certainly a challenge.”

Microsoft and the computer industry have also been unable to solve the  
so-called dancing pony problem. That refers to the propensity of many  
computer users to click on enticing links in their e-mail or to visit  
seductive but malicious Web sites, leaving them vulnerable to Trojan  
horse downloads and other infections.

Over the last three years the computer security industry has been  
fighting a losing battle, as the ability of computer criminals to  
profit from identity theft and a variety of other scams has led to the  
development of a robust underground industry generating viruses and  
other so-called malware.

Microsoft has tried to combat the problem by building a variety of  
safeguards into its operating systems and its Internet Explorer  
browser, with mixed success. The User Account Control feature of  
Windows Vista, which popped up an endless stream of warnings that  
irritated users, proved to be one of the key factors in the poor  
reception for Vista. Last week in Los Angeles, the company said it had  
entirely reworked the user interface of its new Windows 7 operating  
system to minimize user frustration.

In comparing Web browser vulnerabilities in Windows XP and Windows  
Vista in the first half of the year, the new report found that while  
Microsoft could be blamed for half of the top 10 vulnerabilities in  
Windows XP, the top 10 browser vulnerabilities under Vista all came  
from third-party add-on software from companies like Apple and  
RealNetworks.

A companion report published by Jeffrey R. Jones, a Microsoft security  
director, claims that Microsoft is fixing security-related bugs about  
three times as fast as three of its rivals: Apple, Ubuntu and Red Hat.

An Apple spokesman, Bill Evans, said Microsoft had previously issued  
similar reports and declined to comment beyond saying that the data  
was not supported by users’ experience of infections.

Microsoft has a unique vantage point from which to monitor the world  
of malware and other threats because it receives automated data both  
from free software it has given to users, like the Malicious Software  
Removal Tool, and from specialized Internet reporting systems that  
monitor threats. It also receives data about crashes on more than a  
half-billion personal computers.

The current report indicates that malware infection rates are  
generally higher in developing countries and regions than in developed  
ones. Infection rates range from 1.8 for every 1,000 computers in  
Japan to above 76.4 for every 1,000 in Afghanistan. The United States  
had an infection rate of 11.2 infected computers for every 1,000  
scanned, an increase of 25.5 percent in the last six months.