Microsoft has been dealing with cyber treats for years both internally and with our customers, but just in case you haven’t noticed; there has been a significant change in the tide from both in the focus of such malevolent attacks and public perception of Microsoft ability to deal with those threats effectively.
To see the trends in Cyber Warfare, one needs to just read some of the headlines in The Latest Microsoft Security Intelligence Report or News articles and the focus of recent attacks now on the rise.
Just take a look at some recent news articles:
February 24th 2009 – SQL Attacks – Half a Million Sites Already Owned -”Current epidemic of online SQL injection attacks maintains that over a half million sites were victimized by the threats during 2008 alone”
April 3rd 2009 – VMware exploits – just how bad is it? – “When Tony reported on the release of new VMware patches on April 4th, we didn’t immediately spot that the same day there was also a release of a for-pay exploit against CVE-2009-1244 (announced in VMSA-2009-0006). Seems a few days later, there is also a white paper available -for pay as well-, and now also a flash video of the alleged exploit showing a XP client OS exploiting a Vista host OS (launching calc.exe). The video also comments that they get a data leak back from the host to the client”
April 14th 2009 – Attack Sneaks Rootkits Into Linux Kernel – “A researcher at Black Hat Europe this week will demonstrate a more stealthy way to hack Linux “. “One of bonuses of this [approach] is that most kernel module rootkits make a lot noise when they are inserting [the code]. This one is directly manipulating” the memory, so it’s less noticeable, he says”
April 16th 2009 – iBotnet: Researchers find signs of zombie Macs – “Writing in the current issue of Virus Bulletin (subscription required), researchers Mario Ballano Barcena and Alfredo Pesoli found two malware variants — OSX.Iservice and OSX.Iservice.B — using different techniques to obtain the user’s password and take control of the infected Mac machine”
Contrast this with the trend of positive security reports from Gartner, Av-Comparatives and other Security experts raving about Microsoft’s SDL, security software and best practice guidance.
“Conventional wisdom has been that organizations need to wait for the first Service Pack to ship before they deploy a new client OS. This used to be a necessity. The availability of beta software to test the new product was not as broad as it is today, and people expected the initial release to be buggy and unstable. The first Service Pack usually would ship approximately nine to 12 months after the initial OS shipment, and would usually represent a marked improvement in stability. Today, SP1 does not represent the milestone it used to”
May 20th 2009 – Adobe to release security updates a la Patch Tuesday – “Adobe said on Wednesday it will release quarterly security updates to coincide with Microsoft’s Patch Tuesday as part of a new approach to product security for Adobe Reader and Acrobat. “
“All new code and features for Adobe Reader and Acrobat have been put through a Secure product Lifecycle that is similar to Microsoft’s much-touted Security Development Lifecycle.”
June 10th 2009 – Microsoft Ranks First in AV-Comparatives May Edition for Proactive Detection Testing! – “We are #1 this time! And it is our first time scoring Advanced+ in AV-comparatives testing. We scored very well on both ends: second best in detection rate and we had the fewest false positives. AV-Comparatives.org published the May edition of the proactive/retrospective testing of the May Edition….Our detection rate was…the second best among the participants, and we had the fewest false positive samples.
For details, please check AV-comparatives May edition published below: http://www.av-comparatives.org/images/stories/test/ondret/avc_report22.pdf”
June 29th 2009 – Pigs fly! Microsoft leads in security – “Microsoft’s success with Security Development Lifecycle has security experts buzzing and offers lessons…Many of the world’s most knowledgeable security experts are urging their favorite software vendors to follow in the footsteps of Microsoft.
“Microsoft becomes high priest of secure software development.” – CNET
“As an industry we should recognize the sea change in Microsoft’s approach to security… and encourage other vendors to follow Microsoft’s lead.” – SANS NewsBites
“In 2004 Microsoft was a couple years into its Trustworthy Computing Initiative but it remained the software company IT security practitioners hated with glee…. That’s not so much the case today.” — Computerworld
“As repugnant as it sounds, Apple will need to take a page from Microsoft’s book in this area. Years of combating viral threats, malware, and so on – CrunchGear
“It isn’t just press talk alone. Every common security and vulnerability metric shows Microsoft’s software security has dramatically improved over the years, especially compared to its main competitors. Vulnerabilities found by employees and external researchers are down well over half from just a few years ago. For some products, such as IIS and SQL Server, the improvement is startling going from dozens of exploits a year to barely a handful over five years.”
“Hackers have moved on from focusing on Windows holes to attacking third-party applications or social engineering the end-user as the primary attack vector. Patch Tuesday was derided when it first appeared. Now it has become a model for many other popularly attacked products, and vendors not using a regularly scheduled patch period are being asked to get on board by their customers.”
“I challenge you to find anywhere near the amount of free resources on improving your software security from any other source.”
Microsoft has made contributions with The Microsoft Security Development Lifecycle (SDL). This SDL framework along with Microsoft’s free security tools, patch Tuesday example, and Microsoft’s Forefront Security products, have forced the trend of attacks to shift to 3rd party and applications and low hanging fruit, and simultaneously bolstered Microsoft reputation as not only a security player, but a leader in the industry.