Documente Academic
Documente Profesional
Documente Cultură
This document is a summary of the key findings of the report. The full Security Intelligence Report also offers
strategies, mitigations, and countermeasures. It can be downloaded from http://www.microsoft.com/sir.
1
The nomenclature used throughout the report to refer to different reporting periods is nHYY, where nH refers to either the first (1) or second (2) half of the year, and
YY denotes the year. For example, 2H08 represents the period covering the second half of 2008 (July 1 through December 31), while 1H08 represents the period
covering the first half of 2008 (January 1 through June 30).
Industry Vulnerability Disclosures
Vulnerabilities are defined as weaknesses in software that allow an attacker to compromise the integrity,
availability, or confidentiality of that software. Some of the worst vulnerabilities allow attackers to run arbitrary
code on compromised systems. Vulnerability data in this section was gathered from third-party sources, published
reports, and Microsoft’s own data.
Across the IT industry, the total number of unique vulnerability disclosures decreased in 2H08, down
3 percent from 1H08. For 2008 as a whole, total disclosures were down 12 percent from 2007.
2
In contrast, vulnerabilities rated as High severity by the Common Vulnerability Scoring System (CVSS)
increased 4 percent over 1H08; roughly 52 percent of all vulnerabilities were rated as High severity.
For 2008 as a whole, the total number of High Severity vulnerabilities was down 16 percent from
2007.
4000
3500
3000
2500
Low
2000
Medium
1500
High
1000
500
0
2H03 1H04 2H04 1H05 2H05 1H06 2H06 1H07 2H07 1H08 2H08
Compounding the seriousness of the High severity vulnerabilities, the percentage of disclosed
vulnerabilities that are easiest to exploit also increased; 56 percent required only a Low complexity
3
exploit .
The proportion of vulnerabilities disclosed in operating systems across the industry continued to
decline; more than 90 percent of vulnerabilities disclosed affected applications or browsers (8.8
percent of vulnerabilities affected operating systems; 4.5 percent affected browsers; 86.7 percent
affected applications or other software).
2
CVSS is an industry standard for assessing the severity of software vulnerabilities. See http://www.first.org/cvss/ for more documentation and details.
3
Definition from: Mell, Peter, Karen Scarfone, and Sasha Romanosky. “A Complete Guide to the Common Vulnerability Scoring System
Version 2.0,” (http://www.first.org/cvss/cvss-guide.html) section 2.1.2.
Figure 2. Industry wide operating system, browser and other vulnerabilities, 2H03–2H08
4,000
3,500
3,000
2,500
All Other
2,000
Browser Vulnerabiilties
1,500
OS Vulnerabilities
1,000
500
-
2H03 1H04 2H04 1H05 2H05 1H06 2H06 1H07 2H07 1H08 2H08
120
100
80
60
Unique CVEs
40
Security Bulletins
20
0
1H 2H 1H 2H 1H 2H 1H 2H
In 2H08, 70.6 percent of Microsoft vulnerability disclosures adhered to responsible disclosure practices,
down from 78.2 percent in 1H08. The responsible disclosure percentage for the whole of 2008 was
significantly higher than that of the previous year.
Engaging with the security community directly, and proactively addressing security issues results in the
majority of issues being responsibly reported.
90%
80%
70%
60%
50%
40%
30%
20%
10%
0%
1H05 2H05 1H06 2H06 1H07 2H07 1H08 2H08
Browser-Based Exploits
To assess the relative prevalence of browser-based exploits in 2H08, Microsoft analyzed a sample of data obtained
from customer-reported incidents, submissions of malicious code, and Microsoft Windows® error reports. The
data encompasses multiple operating systems and browser versions, from Windows XP to Windows Vista®. It also
4
includes data from third-party browsers that host the Internet Explorer rendering engine, called Trident.
The most common system locale for victims of browser-based exploits was US English, accounting for 32.4
percent of all incidents, followed by Chinese (Simplified) with 25.6 percent of incidents.
For browser-based attacks on Windows XP–based machines, Microsoft vulnerabilities accounted for 40.9
percent of the total, down from 42.0 percent in 1H08. On Windows Vista–based machines, the Microsoft
proportion was much smaller, accounting for just 5.5 percent of the total, down from 6.0 percent in 1H08.
4
See http://msdn.microsoft.com/en-us/library/aa939274.aspx for more information on Trident.
Figure 5. Browser-based exploits targeting Microsoft Figure 6. Browser-based exploits targeting Microsoft
and third-party software on computers running and third-party software on computers running
Windows XP, 2H08 Windows Vista, 2H08
Microsoft
5.5%
Microsoft
40.9%
3rd Party
59.1%
3rd Party
94.5%
Microsoft software accounted for 6 of the top 10 browser-based vulnerabilities attacked on computers
running Windows XP in 2H08, compared to zero on computers running Windows Vista – similar to the
pattern observed in 1H08. The figures below detail the top 10 browser-based vulnerabilities attacked on
Windows XP-based computers and Windows Vista-based computers. The vulnerabilities are referenced by
the relevant CVSS bulletin number or by Microsoft Security Bulletin number as appropriate.
Figure 7. Top 10 browser-based vulnerabilities exploited on computers running Windows XP, 2H08
10%
9%
Microsoft
8% Vulnerabilities
7% Third Party
Vulnerabilities
6%
5%
4%
3%
2%
1%
0%
Figure 8. Top 10 browser-based vulnerabilities exploited on computers running Windows Vista, 2H08
18%
16%
14% Third Party Vulnerabilities
12%
10%
8%
6%
4%
2%
0%
Office
2003
SP1
8.3% Office Office Office Office
2003 XP XP 2000
RTM SP2 RTM RTM
80.1% 12.2% 60.9% 100%
2.5
2.0
1.5
CVE-2008-2992
1.0
CVE-2007-5659
0.5
0.0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
The top category reported for data loss through a security breach in 2H08 continued to be stolen
equipment such as laptop computers (33.5 percent of all data-loss incidents reported). Together with lost
equipment, these two categories account for 50 percent of all incidents reported.
Security breaches from “hacking” or malware incidents remains less than 20 percent of the total.
5
These findings reinforce the need for appropriate data governance policies and procedures.
5
Microsoft provides data governance resources and guidance at
http://www.microsoft.com/mscorp/twc/privacy/datagovernance/default.mspx
Figure 11. Security breach incidents by type, expressed as percentages of the total, 2H07 - 2H08
50%
45%
40%
35%
30%
25%
2H07
20%
15% 1H08
10% 2H08
5%
0%
Despite the global nature of the Internet, there are significant differences in the types of threats that
affect users in different parts of the world. As the malware ecosystem becomes more reliant on social
engineering, threats worldwide have become more dependent on language and cultural factors - in China,
several malicious browser modifiers are prevalent; in Brazil, malware that targets users of online banks is
widespread; in Korea, viruses such as Win32/Virut and Win32/Parite are common.
Figure 12. Threat categories worldwide and in the eight locations with the most computers cleaned, by incidence
among all computers cleaned, 2H08
60% Misc. Trojans
Viruses
0%
Exploits
Spyware
6
The following map illustrates the infection rates of locations around the world, expressed in CCM .
Figure 14. Number of computers cleaned for every 1,000 MSRT executions, by operating system, 2H08
40
35
30
25
20
15
10
5
0
6
Infection rates in this report are expressed using a metric called Computers Cleaned per Mil (CCM) that represents the number of computers
cleaned per thousand executions of the MSRT.
The infection rate for Windows Vista is significantly lower than that of its predecessor, Windows XP, in all
configurations.
Comparing the latest service packs for each version, the infection rate of Windows Vista SP1 is 60.6
percent less than that of Windows XP SP3.
Comparing the RTM versions of these operating systems, the infection rate of the RTM version of
Windows Vista is 89.1 percent less than that of the RTM version of Windows XP.
The infection rate of Windows Server 2008 RTM is 52.6 percent less than that of its predecessor, Windows
Server 2003 SP2.
The higher the service pack level, the lower the rate of infection. This trend can be observed consistently
across client and server operating systems. There are two reasons for this:
Service packs include all previously released security updates. They can also include additional
security features, mitigations, or changes to default settings to protect users.
Users who install service packs generally maintain their computers better than users who do not
install service packs and may also be more cautious in the way they browse the Internet, open
attachments, and engage in other activities that can open computers to attack.
Server versions of Windows typically display a lower infection rate on average than client versions.
Servers tend to have a lower effective attack surface than computers running client operating systems as
they are more likely to be used under controlled conditions by trained administrators and to be protected
by one or more layers of security. In particular, Windows Server 2003 and its successors are hardened
against attack in a number of ways, reflecting this difference in usage.
Figure 15. Family categories removed by Windows Live OneCare and Forefront Client Security in 2H08, by
percentage of the total number of computers cleaned by each program
60%
50%
40%
30%
20%
Windows Live
10%
OneCare
0%
Forefront Client
Security
Figure 16. Computers cleaned by threat category, in percentages, 2H06–2H08
Worms
20%
Password Stealers &
15% Monitoring Tools
Backdoors
10%
Viruses
5%
Exploits
0%
Spyware
2H06 1H07 2H07 1H08 2H08
Figure 17. Malware hosting sites detected by country/region in 2H08, indexed to the average of all locations
Figure 18. Malware hosting sites detected in the United States in 2H08, indexed to the average of all locations
E-mail Threats
More than 97 percent of e-mail messages sent over the Internet are unwanted: they have malicious
attachments or are phishing attacks or spam.
As in previous periods, spam in 2H08 was dominated by product advertisements, primarily
pharmaceutical products (48.6 percent of the total). Together with non-pharmacy product ads (23.6
percent of the total), product advertisements accounted for 72.2 percent of spam in 2H08.
Figure 19. Inbound messages blocked by EHS content filters, by category, 1H08-2H08
45%
40%
35%
30%
25%
20%
15%
10%
1H08
5%
0% 2H08
Malicious Web Sites
Most phishing pages target financial organizations, however in terms of impressions (instances of users attempting
to visit a known phishing page) social networks are also commonly targeted.
Figure 20. Impressions for each type of phishing page each month in 2H08, indexed to the average number of
monthly impressions for the period.
1.4
1.2
1.0
0.8
Web Service
0.6
Social Networking
0.4
Financial
0.2
Commerce
0.0
The McColo de-peering in mid-November appears to have had a dramatic effect on phishing impressions,
which dropped 46.2 percent from October to November. Visits to phishing pages targeting social
networking sites dropped from 34.1 percent of all impressions in October to just 1.1 percent in
November.
The country hosting the highest number of phishing sites was the United States, with Texas being the
state hosting the highest number of phishing sites.
Figure 21. Worldwide distribution of phishing sites in 2H08, indexed to the average of all locations
Figure 22. Phishing sites detected in the United States in 2H08, indexed to the average of all locations.
This summary is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE
INFORMATION IN THIS SUMMARY. No part of this summary may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by
any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this summary. Except as
expressly provided in any written license agreement from Microsoft, the furnishing of this summary does not give you any license to these patents, trademarks,
copyrights, or other intellectual property.
Microsoft, the Microsoft logo, Windows, Windows XP, Windows Vista, and Microsoft Office are either registered trademarks or trademarks of Microsoft Corporation
in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.