Symantec's comprehensive security report on the malware industry from July 1 to December 31, 2007, is now available (PDF) in its 100+ page glory. While some parts of the report simply reiterate data we're well aware of—it's no surprise to read that the majority of malicious activity originates in the US—there's also a great deal of new information here that we'll examine below.
Symantec broke down information on patch development time by operating system and by the type of vulnerability encountered. Surprisingly, Microsoft had the shortest time-to-patch over both halves of 2007. In the first part of the year, Microsoft released 38 patches (two of which involved third-party applications) with an average deployment time of 18 days. From July to December, Microsoft released 22 patches with an average patch time of six days.
Red Hat came in second, at 32 days for the second half of the year and 36 days in the first half. That's quite a bit higher than Microsoft's average, but of the 227 vulnerabilities Red Hat patched in 2007, 226 of them involved third-party applications. Apple, Sun, and HP all lag well behind Microsoft and Red Hat, though the gap for each company differs significantly between the first and second halves of last year.
Vulnerability breakdowns by type are listed above for each company. Client-side attacks are vulnerabilities that specifically affect network client software and software that receives data from network clients. These vulnerabilities do not directly affect web browsers, though web browsers may provide the initial vector of attack. Local vulnerabilities, in this context, refers to vulnerabilities that can only be exploited by a person physically located at the machine in question.
The pie charts above show rough similarities in vulnerability distribution between Mac OS X and Red Hat, and between Sun and HP. Microsoft's Windows XP and Windows Vista , meanwhile, have the dubious distinction of being the only operating system where a full 82 percent of vulnerabilities were found either client-side or directly within the browser.
Once we break down vulnerability by browser plugin, Microsoft's high percentage of client-side and browser vulnerabilities makes perfect sense. Symantec tracked patch reports for Adobe Acrobat, Flash, Quicktime, ActiveX, Windows Media Player, Mozilla browser extensions, Opera widgets, and Sun Java. Over the course of 2007, a total of 476 vulnerabilities were found across all eight categories. Care to guess who came in first?
These two pie charts clearly demonstrate just how insecure Java really is—the number of Java-based vulnerabilities rose 250 percent from July-December as compared to January-June.
Okay, in all seriousness, ActiveX is the overwhelming culprit here. Microsoft put a great deal of emphasis on security when it developed Vista, and Internet Explorer 7 contains its own set of security enhancements meant to limit ActiveX attacks, but there are gaping holes in Microsoft's security in this area—or perhaps it's simply more accurate to say Microsoft has managed to create a few threads of security amid the gaping vulnerabilities of ActiveX. The percentage of ActiveX-derived exploits should fall in 2008 as an increasing number of users make the jump to Windows Vista .
News Souces: Symantec
www.vista123.net, tweak and customize Vista easily.
