The era of operating system vulnerability is slowly drawing to a
close, with more than nine out of 10 published software vulnerabilities
now appearing in applications, Microsoft's latest half-yearly report
has suggested.
According to the company's Security Intelligence
Report for the first half of 2008, OS vulnerabilities are now stable at
between 6 and 8 percent of those reported, a level they have been at
since the first half of 2006. Vulnerabilities in Windows XP and Vista
have shown a modest decrease in 2008, continuing a similar trend over
the same period.
But the report paints a more complex picture in
terms of which platforms are the ones most likely to run vulnerable
applications. Vista scores well, with Microsoft-based software
accounting for only 6 percent of vulnerabilities on that platform, with
none of the top ten browser-based holes hitting the OS.
Over the
period, the biggest Vista-based software vulnerabilities appeared to be
in two ActiveX controls installed only in China, which would seem to
confirm the relative obscurity of serious issues on the platform.
XP,
by contrast, is still Microsoft's biggest headache, with 42 percent of
all app holes on that platform coming from Microsoft's own software.
Using
the number of PC's cleaned per 1,000 executions of Microsoft's own
Malicious Software Removal Tools (MSRT), Visa SP1 scored 4.5, while the
different updates of XP scored between 9.2 and 33.8. All of this
confirms what has been well established in the past - XP and its
applications are still relatively vulnerable, while the newer Vista and
its applications do considerably better.
Across the industry as a
whole, software vulnerabilities classified by the industry standard
Common Vulnerability Scoring System v2 (CVSSv2) as 'severe' now account
for 7.3 percent of those made public, with a startling 41 percent
classified as 'high'. More encouragingly, Microsoft reports, only 10.4
percent of holes had publically-available exploit code.
In truth,
it is extremely hard to gauge from the report how Windows is stacking
up against rival platforms such as Apple or Linux in terms of OS and
app holes, but the overall message to take away appears to be that the
OS is not the main worry. The big concern now is browsers on all
platforms, including Windows.
Analyzing these by locale showed
that China was the most likely place for browser-based exploits to hit,
with 46.6 percent of them happening in that country across all
platforms. The US came second on 23 percent, Russia third with 7
percent and the UK some way back with 2.4 percent.
Source : http://www.pcworld.com/
