Microsoft Report Shows Drop in Vulnerabilities and Increase in Malicious Codes

Microsoft logo On Monday, Microsoft released its latest Security Intelligence Report, which states that the total number of vulnerabilities revealed in 2007 dropped down by almost 5 percent, while the amount of malicious code discovered increased more than 40 percent.

The report, which is issued twice a year by Microsoft, in its latest release notes that vulnerability revelations went down approximately 15 percent in the latter half of 2007, and 5 percent for the year as a whole. However, things weren’t the same for high-severity flaws. While the amount of high-rated vulnerabilities fell in the second half of 2007, the total for the year topped 2006’s count. Around a third of all vulnerabilities in Microsoft products had publicly available exploit code in 2007, the same as the previous year.

While vendors are seemingly refining their vulnerabilities, PC users are advised to concentrate towards malicious code. During the latter half of 2007, the amount of malware deleted from PCs by Microsoft’s Malicious Software Removal Tool (MSRT) went up to 40 percent. Trojan horses that download or drop additional code are cited as the most commonly found harmful programs. In the last six months of 2007, the software giant noticed a 300 percent increase in the number of such programs, stated Jimmy Kuo, principal architect with Microsoft’s Malware Protection Center.

In the report released, Microsoft stated, “Clearly, this category of malware has become a tool of choice for some attackers.” Adding, “IT professionals and security professionals alike should become familiar with this type of malware so that they can better protect their networks from attacks that leverage it.”

Microsoft’s semi-annual report makes use of information gathered from several public sources along with the company’s Microsoft’s Malicious Software Removal Tool (MSRT), Windows Defender, Windows Live OneCare, and Exchange Hosted Services. A few days ago at the RSA conference, Microsoft asked for an information-technology industry strategy to develop more trust in the Internet.

Microsoft also seconded a revelation by security expert Symantec, which states that maximum data violations are a result of stolen equipments. A mere 13 percent of security breach notifications in the latter half of 2007 were caused due to exploits, malware and hacking.

Microsoft’s latest report notes that the most commonly found malicious software in the second half of 2007 is Win32/WinFixer, also known as WinAntivirusPro, a program that disguises itself as a malicious removal tool. Though Microsoft issued lesser bulletins and patched fewer flaws in 2007, the number of flaws in Microsoft Office went up; the company notes that most only seriously affected earlier versions of the program.

Some data from Microsoft’s report:

  • The total number of malware items removed by Microsoft’s tool was up 55 percent from the first six months of 2007.
  • Adware is still the most common form of unwanted software, and was up 66 percent in the second half of the year to 34.3 million detections. The top piece of adware for the period was Win32/Hotbar, which installs an Internet Explorer toolbar that spews pop-up ads onto the PC.
  • Between 75 and 80 percent of phishing pages tracked by the Microsoft Phishing Filter were in English, and phishing is now moving from e-mail onto social networks.
  • Rogue security software is on the rise. The most widely spotted of these bogus or malicious programs that pretend to protect PCs was Win32/Winfixer. It popped up five times as frequently as its nearest rival.
  • Microsoft fixed fewer bugs in 2007 than in 2006. The company released 69 security updates, fixing 100 bugs in 2007. That’s down nearly 30 percent from the 142 vulnerabilities it fixed in 2006.