Security Updates and Exploits

As you may know, we announced version four of the Microsoft Security Intelligence Report earlier this week. Amongst the many interesting findings is data which relates to software vulnerability exploits. I wanted to highlight these as Shoaib, one of my blog readers, contacted me recently to get my views on a post he wrote.

Here are the key findings:

  • During 2007, 32.2 percent of known security vulnerabilities (CVE IDs) in the Microsoft products analyzed for this report had publicly available exploit code. This is nearly identical to the totals from 2006 when 32.7 percent of known security vulnerabilities for the same products had publicly available exploit code.
  • Microsoft matched each public exploit with its corresponding vulnerability using CVE identifiers and Microsoft security bulletins. The number of Microsoft security bulletins released in 2007 was 11.5 percent lower than in 2006, and the number of vulnerabilities covered by those bulletins was 29.6 percent lower than the number covered by the 2006 bulletins.
  • In a product-by-product comparison, more recent versions of Microsoft products were proportionally less affected by publicly available exploit code than earlier versions. This trend is especially visible with Microsoft Office. Only 11.1 percent of known vulnerabilities in the 2007 Microsoft Office system had exploit code publicly available, compared with 45.8 percent for Office 2003 and Office XP, and 52.4 percent for Office 2000.We additionally looked at the exploits based on CVE.

We even added a table where we compared selected products in 2006 and 2007:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

So, what is this giving us?

When we look at attacks and the "time to exploit", which is definitely decreasing, we have to take into consideration that malware (often exploiting vulnerabilities) is more and more focused on financial gain. The chart below shows this very well:

So, what does this and the report above allow us to conclude:

  • Criminals are getting smarter, more professional and faster – with or without this kind of technology
  • As a result of the Security Development Lifecycle, which sets standards for secure development practices that all Microsoft products have to adhere to, latest versions have significantly fewer vulnerabilities compared both to older versions and competitive products
  • We have to continue to invest in producing high-quality security update (with "we" I mean the whole industry) in order to allow for shorter patching cycles
  • The vendors have to work closely together with the customers to share best practices of Patch Management. This is something we do since a long time.

One final comment: To me it is not only about exploits, it is about the process of creating Security Updates as well. In this context I would like to remind you of my recent post on 0-Day-Patch – An new Metric for Security?

Roger