Monday, November 3, 2008

On Security, Microsoft Reports Progress and Alarm

Microsoft plans to report on Monday that the security of its Windows operating system has significantly improved, while at the same time the threat of computer viruses, frauds and other online scourges has become much more serious.

The company blames organized crime, naïve users and its competitors for the deteriorating situation.

In the latest edition of its twice-a-year “Security Intelligence Report,” Microsoft said that the amount of malicious or potentially harmful software removed from Windows computers grew by 43 percent during the first half of 2008.

The company said improvements in security for its Windows Vista operating system and security updates to the previous Windows XP system had made such software a less attractive target for attackers. Instead they have shifted their attention to security holes in individual programs.

During the first half of the year, 90 percent of newly reported vulnerabilities involved applications, and only 10 percent affected operating systems, according to the report.

Microsoft executives said they were pleased with the progress made since the company was shaken by a series of destructive programs that spread rapidly around the world over the Internet beginning in 2003. But they said that unless software development practices change throughout the industry, any improvements in the security of Windows would be meaningless.

“This story is real,” said George Stathakopoulos, general manager for Microsoft’s Security Engineering and Communications group, referring to the improvement in the company’s engineering practices. “Now we have a third-party problem and it’s something we have to go solve.”

Security researchers said they were sympathetic to Microsoft’s plight.

“The only thing that Microsoft can patch is their own software,” said Patrik Runald, chief security adviser for F-Secure, a computer security firm in Finland. “That’s not what the bad guys are using to get into computers these days. It’s certainly a challenge.”

Microsoft and the computer industry have also been unable to solve the so-called dancing pony problem. That refers to the propensity of many computer users to click on enticing links in their e-mail or to visit seductive but malicious Web sites, leaving them vulnerable to Trojan horse downloads and other infections.

Over the last three years the computer security industry has been fighting a losing battle, as the ability of computer criminals to profit from identity theft and a variety of other scams has led to the development of a robust underground industry generating viruses and other so-called malware.

Microsoft has tried to combat the problem by building a variety of safeguards into its operating systems and its Internet Explorer browser, with mixed success. The User Account Control feature of Windows Vista, which popped up an endless stream of warnings that irritated users, proved to be one of the key factors in the poor reception for Vista. Last week in Los Angeles, the company said it had entirely reworked the user interface of its new Windows 7 operating system to minimize user frustration.

In comparing Web browser vulnerabilities in Windows XP and Windows Vista in the first half of the year, the new report found that while Microsoft could be blamed for half of the top 10 vulnerabilities in Windows XP, the top 10 browser vulnerabilities under Vista all came from third-party add-on software from companies like Apple and RealNetworks.

A companion report published by Jeffrey R. Jones, a Microsoft security director, claims that Microsoft is fixing security-related bugs about three times as fast as three of its rivals: Apple, Ubuntu and Red Hat.

An Apple spokesman, Bill Evans, said Microsoft had previously issued similar reports and declined to comment beyond saying that the data was not supported by users’ experience of infections.

Microsoft has a unique vantage point from which to monitor the world of malware and other threats because it receives automated data both from free software it has given to users, like the Malicious Software Removal Tool, and from specialized Internet reporting systems that monitor threats. It also receives data about crashes on more than a half-billion personal computers.

The current report indicates that malware infection rates are generally higher in developing countries and regions than in developed ones. Infection rates range from 1.8 for every 1,000 computers in Japan to above 76.4 for every 1,000 in Afghanistan. The United States had an infection rate of 11.2 infected computers for every 1,000 scanned, an increase of 25.5 percent in the last six months.

Source : http://www.nytimes.com/