On TechRepublic: 10 lame phrases to cut from your resume
BNET Business Network:
BNET
TechRepublic
ZDNet

November 3rd, 2008

Microsoft: Third party apps killing our security

Posted by Larry Dignan @ 12:40 am

Categories: General, Microsoft, Security, Software Infrastructure, Web Technology

Tags: Microsoft Windows Vista, Microsoft Corp., Web Browser, Third Party Application, Chances, Microsoft Windows Vista (Longhorn), Security, Operating Systems, Microsoft Windows, Software

Why would hackers target Microsoft directly when there is so much low hanging fruit hanging from the Windows operating system?

The short answer is that hackers won’t attack Microsoft directly because they have plenty of alternatives via third party applications such as QuickTime, RealPlayer and WinZip. That’s the big takeaway from Microsoft’s Security Intelligence Report (January to June 2008), which will be unveiled Monday. Microsoft prebriefed a few folks including me and The New York Times on the key findings of the report, but the real interesting data will appear in the full blown document, which will be dissected by Ryan Naraine at Zero Day later.

This version of the Security Intelligence Report looks at the evolution of emerging threats and focuses on botnets. While the key findings highlight a few interesting threads–vulnerability disclosure continues to fall; disclosure of Microsoft software vulnerabilities continue to fall and Chinese are victims of more than 46 percent of browser-based exploits–the big item is that the software giant is being buffeted by attacks via third party applications.

Microsoft’s data confirms the findings of other security vendors such as Kaspersky. For instance, hackers are attacking Vista almost entirely through third party applications.

sir1.png

Microsoft then goes into the top 10 browser vulnerabilities and notes that its software accounted for half of the biggest flaws on XP. On Vista, Microsoft software accounted for none of the top flaws. Here’s the breakdown:

Top 10 browser-based vulnerabilities on XP:

sir2.png

And the top 10 browser-based vulnerabilities on Vista (click to enlarge):

sir3.png

The tale: RealPlayer, Apple QuickTime, various toolbars and other tag-along applications are vulnerable.

These statistics leave one question hanging: Is Vista really more secure or is it just that third party applications are easier to exploit? The truth is that we may never know about Vista’s security level–unless third party application developers suddenly get security religion. Chances are that won’t happen.

George Stathakopoulos, general manager of Microsoft product security for the Security Engineering and Communications Group, roughly agreed with my theory. He maintains that Vista is more secure–and I don’t think that take is a big stretch–but the degree of security over XP may be skewed by third party applications. Simply put, Vista isn’t the primary target of attackers, which are opting for easier prey.

“I think Vista is better on security. Microsoft products better on security and I think our focus is paying off. The numbers say third party applications are an issue. What we need to do as community is figure out how to solve this problem,” says Stathakopoulos, reiterating his common theme. I told him that insecure third party applications may skew how secure Vista looks and he generally agreed. “Absolutely, third party applications affect the magnitude of how secure Vista looks.”

Indeed, Microsoft is working on getting the ecosystem to cooperate more. Earlier this year, Microsoft launched its trusted Internet initiative, which is still in the whitepaper stage.

Among other nuggets of Microsoft’s findings that stood out:

  • Brazil is the global king of password stealers and monitoring tools. More than 60 percent of the computers cleaned in Brazil had password stealers on them. Globally, Trojan Downloaders and droppers are the most popular mean of attack.
  • China is dominated by pop-up ad toolbars and browser modifiers. This malware usually stays in China since they are in Chinese.
  • Viruses still work in Korea relative to the rest of the world. Most of these infected files are swapped via peer-to-peer networks. Stathakopoulos says gaming is a primary target for attackers in Korea. Cybercrime is localized to each unique characteristic of a country.
  • The infection rate for Windows Vista is lower than Windows XP at any service pack level. Vista 64-bit infection rates are lower than the 32-bit versions.

Larry DignanLarry Dignan is Editor in Chief of ZDNet and Editorial Director of ZDNet sister site TechRepublic. See his full profile and disclosure of his industry affiliations.

For daily updates, follow Larry on Twitter.

Email Larry Dignan

Subscribe to Between the Lines via Email alerts or RSS.

  • Talkback
  • Most Recent of 134 Talkback(s)
Third party apps killing our security ?
Most third party apps are compiled
with Microsoft Visual Studio.

Hardly third party.

Jump out from this dusty old spider web
before IT's to late.

If you start to move within it, it only
make you dustier and dustier and ......... (Read the rest)
Posted by: xmeshman Posted on: 11/26/08  (Edited: 11/26/08 @ 05:26) You are currently: a Guest | | Terms of Use
Interesting...  Sleeper Service | 11/03/08
QT and Real  TedKraan | 11/03/08
Not so easy  eMJayy | 11/03/08
Apple - Insidious Security Attack?  rickb@... | 11/03/08
This probably is Apple's intent  cshupe@... | 11/03/08
Amazing that MS lets them get away with it  John L. Ries | 11/03/08
Are you suggesting ...  de-void | 11/04/08
Uh.. Right...  Wolfie2K3 | 11/05/08
Toy OS?  rickb@... | 11/03/08
Toy OS  brian ansorge | 11/04/08
RE: hanks to Apple, my windows PCs are less secure today  Redsheep | 11/03/08
Quicktime has been a security sieve since days of yore  seanferd | 11/03/08
RE: Thanks to Apple, my windows PCs are less secure today  Redsheep | 11/03/08
QT, Real et al...  martian@... | 11/04/08
Restrictive environments  TedKraan | 11/03/08
Firm Foundations  TechnoCritter | 11/04/08
People still use RealPlayer?  Don Collins | 11/03/08
I use Youtube often  TedKraan | 11/03/08
Tell That To Some Web Seminars  itanalyst2@... | 11/03/08
No RealPlayer, yes codecs...  robsku | 11/03/08
Use Real Alternative . . . . . (nt)  JLHenry | 11/03/08
Bingo  seanferd | 11/03/08
Oh yes there is !  Alan Smithie | 11/04/08
The BBC  seanferd | 11/03/08
Oh...Really?  Wolfie2K3 | 11/05/08
Apple doesn't know how to write secure...  bjbrock | 11/03/08
Yet strangely  TedKraan | 11/03/08
There You Go!  DannyO_0x98 | 11/03/08
Which doesn't change the fact...  Sleeper Service | 11/03/08
Here's what's curious....  eMJayy | 11/03/08
That is indeed interesting..  TedKraan | 11/03/08
Interactions among groups at Apple  sean_hando@... | 11/03/08
yes, include MS apps in that list....  deaf_e_kate | 11/03/08
Which is why Vista has fewer issues...  Sleeper Service | 11/03/08
LOL - secured apps ...  digitrog | 11/05/08
Hmm  beoz | 11/03/08
FAIL  de-void | 11/04/08
security ... LOL  digitrog | 11/05/08
Tard time again?  rag@... | 11/03/08
get real  dave@... | 11/03/08
re: tard time  Badgered | 11/03/08
Name just one...  rag@... | 11/04/08
Virii aren't the only security issue ...  de-void | 11/04/08
Yet they still are not a target..  itguy08 | 11/03/08
I think we have to bear in mind...  Sleeper Service | 11/03/08
How is OS X inherently more secure than Windows?  ye | 11/03/08
Spot the differences (again)  TedKraan | 11/03/08
This shows OS X is inherently more secure how? nt  ye | 11/03/08
differences in design  TedKraan | 11/03/08
Stop being so vague.  ye | 11/03/08
Spot the differences: the answer  TedKraan | 11/03/08
@TedKraan: Which doesn't explain why OS X is inherently...  ye | 11/03/08
Young children come to a phase in life  TedKraan | 11/03/08
@TedKraan: No, it's not okay.  ye | 11/03/08
Yes, it is a cop out  TedKraan | 11/03/08
@TedKraan: You haven't provided anything to understand.  ye | 11/03/08
Some Tanenbaum work par example  TedKraan | 11/03/08
@TedKraan: Been there, done that.  ye | 11/03/08
...  TedKraan | 11/03/08
A quick security primer on Win vs OSX  rickb@... | 11/03/08
That was a good explanation but it did nothing to...  ye | 11/03/08
Well, now you are in denial  rickb@... | 11/03/08
Don't think that helps  TedKraan | 11/03/08
@rickb: Please don't project your failings onto me.  ye | 11/03/08
Spot on  beoz | 11/03/08
Because...  Sleeper Service | 11/03/08
Security by Obscurity? A Microsoft Product?  rickb@... | 11/03/08
While I agree with this I don't see how it means...  ye | 11/03/08
Nah, just bad use of language.  Sleeper Service | 11/03/08
I appreciate the clarification.  ye | 11/03/08
How about...  rag@... | 11/04/08
No longer the case ...  de-void | 11/04/08
Hackers haven't migrated yet, that's why  eMJayy | 11/03/08
FUD Time Returns  rag@... | 11/03/08
Wishful thinking  eMJayy | 11/03/08
Fanboy Time Returns  boony | 11/03/08
FUD x2  mrjoctave@... | 11/04/08
That's true  shellcodes_coder | 11/03/08
Microsoft doesn't ship Flash  de-void | 11/04/08
I'm a Windows user, and I'd say Window is still it's own vector  Boot_Agnostic | 11/03/08
Not perfect, only almost happy  robsku | 11/03/08
Re Linux adoption  jns_45K@... | 11/17/08
Microsoft should break the poorly written applications  qmlscycrajg | 11/03/08
Microsoft should break the poorly written applications  Stan57 | 11/03/08
There lies the dilema  cornpie | 11/03/08
Would be difficult, but...  John L. Ries | 11/03/08
Certified for Windows  de-void | 11/04/08
This started happening with XP  mystic100 | 11/03/08
Just like DR DOS? (nt)  grail@... | 11/04/08
The best fix  soonerproud | 11/03/08
Lousy architecture ALLOWS third party apps to break security  tomb@... | 11/03/08
You nailed it  Takalok | 11/03/08
It's a shared responsibilty  rickb@... | 11/03/08
In all fairness  DaemonSlayer | 11/03/08
I'm no M$ fanboy, but  eMJayy | 11/03/08
nothing wrong with architecture  soulxfer@... | 11/03/08
market share....  storm14k | 11/03/08
You are totally right there  TedKraan | 11/03/08
Well said  Chad_z | 11/03/08
Nice analogy  TedKraan | 11/03/08
to much porn more like  mrjoctave@... | 11/04/08
LOL  Sleeper Service | 11/03/08
duh  mrjoctave@... | 11/04/08
Very True. And as proof of that  GuidingLight | 11/03/08
True, but Microsoft did shoot itself in the foot with a cannon  mystic100 | 11/03/08
and another one  mrjoctave@... | 11/04/08
Things can launch on their own  mystic100 | 11/04/08
That is a good point  GuidingLight | 11/04/08
FAIL  de-void | 11/04/08
Then the challenges are...  John L. Ries | 11/03/08
Time will tell  DaemonSlayer | 11/03/08
Where is it said that there is no exploits for OSX?  CrashPad | 11/03/08
Antivirus for OSX?  grail@... | 11/04/08
RE: Microsoft: Third party apps killing our security  robsku | 11/03/08
RE: Microsoft: Third party apps killing our security  null | 11/03/08
Use only MS Software ???  null | 11/03/08
A logical assertion.  HypnoToad | 11/03/08
Interesting - Look at the Microsoft/XP exploits  hilcheyman | 11/03/08
Are you suggesting ...  de-void | 11/04/08
Does Mr Needes read this stuff?  rtirman37@... | 11/03/08
Market Success != Technical Prowess  tomb@... | 11/03/08
Correct  TedKraan | 11/03/08
FAIL  de-void | 11/04/08
wrong  TedKraan | 11/12/08
RE: Microsoft: Third party apps killing our security  atari8bit@... | 11/03/08
Trouble is.....................  Alan Smithie | 11/04/08
Interesting, I figured out Vista's security success and realized something  Breetai | 11/04/08
Define failure  de-void | 11/04/08
RE: Microsoft: third party apps killing our security - like heck!  digitrog | 11/05/08
RE: Microsoft: Third party apps killing our security  StasD | 11/06/08
RE: Microsoft: Third party apps killing our security  1djk1 | 11/13/08
Don't bite the hand that feeds you  Ole Man | 11/13/08
Isn't transparency preferable?  JelMin | 11/14/08
Third party apps killing our security ?  xmeshman | 11/26/08

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Essential Topics Click Here

advertisement

Recent Entries

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

  • Smart Tech Expert advice on innovations in healthcare and the green technologies that make it happen. Find out more
  • Smart Business Discussion and advice on management issues that revolve around making your world smarter and more useful. More Smart Advice
  • Smart People The best and worst moves in the management and strategy trenches. Learn More