Wednesday, April 08, 2009

Microsoft Security Intelligence Report 2H08

The Microsoft Security Intelligence Report for the second half of 2008 has been released (the 184 PDF version, available from is timestamped the evening of April 6th). We reported on the last SIR report back on November 11, 2008 - please see Microsoft Reveals Malware and Spam Trends for our coverage of that report.

Number of Security Vulnerabilities

52% of the Security Vulnerability announced throughout the industry, via the Common Vulnerability Scoring System were of "High" criticality, while 56% of them were "Easy to exploit". 90% of the industry vulnerability announcements related to applications or browsers. Only 10% dealt with Operating Systems.

Microsoft released 42 Security patches during the 2H08 period.


More than 97% of the email sent across the Internet during 2H08 was unwanted! They have malicious attachments, they are phishing emails, or they are just plain spam. As all of us already suspected 48.6% of all the spam observed during 2H08 was for pharmaceutical products. Another 23% were for non-pharmacy product advertisements.

Notice that the Stock Pump & Dump spam almost disappeared. What would they sell if we could do the same thing to pharmacy spam?

The report also calls attention to the demise of McColo as being the big enforcement action of the year. This section of their report is called "Spam Volume Drops 46 Percent When Hosting Provider Goes Offline". The spam level at the end of December was still lower than the pre-McColo action on November 11th.

Browser Drive-By-Infections

About 1 in 1500 websites (more than 1 million) indexed by Live Search (Microsoft's answer to the Google search engine, available at contained a drive-by-download page. More than 1% of websites with a ".cn" country code hosted drive-by-download exploits. When they looked at the products that were being exploited in these driver exploits, #1 and #2 were Adobe Flash and RealPlayer.

(from p.48 of the Microsoft SIR report for 2H08)

On Windows XP machines, browser exploits targeted a Microsoft product 40.9% of the time. On Windows Vista machines, successful browser exploits targeted a Microsoft product only 5.5% of the time. This is one of many places throughout the document that Microsoft reminds us that Vista is a more secure operating system than XP.

In the first half of 2008, most compromised browsers were running Chinese language set (zh-CN = 25.6%). In the second half of 2008, American English language browsers easily passed them (en-US = 32.4%).

Social Engineering

The SIR report makes a point that the criminals today are having great success with social engineering targeting Fear, Trust, and Desire. Rogue Security Software did so well, because people are afraid of viruses.

Of the Social Engineering attacks that were based on an infected Microsoft Office File program, 91.3% of the attacks used the more than two year old exploit, CVE-2006-2492 MS06-027 to infect users via a Microsoft Word document. Curiously only 32.5% of these infected Word documents targeted en-US machines. 15.7% targeted Taiwanese machines, 12% Russian, 11.1% other Chinese machines, and 2.6% Iraqi machines.

Two Adobe PDF reader exploits also became popular in 2H08, spreading strongly and increasingly from October until the end of the year. 57% of the Adobe attacks targeted en-US machines. China didn't make the top ten on that list.

One important note regarding corrupt Office documents. Microsoft's SIR report recommends that users *NOT* run "Windows Update", but rather run "Microsoft Update". Applying Windows Update will never prompt you to install Microsoft Office patches, which may be why so many machines are still vulnerable to two year old malware. The report recommends that users read this entry:

How Is Windows Update Different Than Microsoft Update?, and make the appropriate changes on their machines.

Security Breaches

The report also makes clear that the trend has continued - most security breaches are accomplished not through "hacking" (though more than 15% are), but through stolen or lost equipment, usually laptops.

Geographic Trends

In 2H08, 13.2Million US computers were cleaned by Microsoft's anti-malware desktop products.

(source: SIR report p. 69)

For more details, please see the full SIR report.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.