News
        
        Microsoft Security Report Points Fingers at ISVs
        Fewer Windows security holes according to report
        
        
        
		The overall number of Windows security holes has declined in  the last year by 8.4 percent to about 2,500 vulnerabilities, according to a new  Microsoft report.
For a big target like Microsoft, that's good news. It's one  of the findings in the eighth edition of Microsoft's "Security Intelligence  Report," published today, which draws its data mostly from the second half of  2009. The report, which also tracks vulnerabilities in third-party software,  can be downloaded here.
The bad news: almost to a person security experts are saying  that it's time for independent software vendors (ISVs) who leverage Windows  components to step up their own security strategies. And Microsoft thinks so  too. Newer Windows operating systems are less vulnerable to attack. Instead, hacker  and botnet attacks have shifted toward targeting third-party programs and  utilities running on Windows.
In particular, third-party "auto updaters don't work  for an enterprise environment," according to Nancee Melby, director of  product marketing at Shavlik Technologies. 
"An enterprise can't rely on faith that critical  security updates are deployed in a timely fashion," she added. "It's  time for the third-party vendors to look at Microsoft as an example and stop  repeating the mistakes of the past."
Around 45 percent of attacks in 2009 exploited third-party apps  on Windows XP. With Vista and Windows 7, that  number was closer to 75 percent, according to the report.
Adobe's  patching frequency has proved to be a case in point. Microsoft's report  identified Adobe Reader as a consistently vulnerable application for Windows 7  users. Three of 10 troublesome third-party apps came from Adobe, according to  the report.
"It's clear Microsoft has learned that Windows is often  guilty by association -- justified or not -- when third-party apps have  security problems," said Don Leatham, senior director of solutions and  strategy at Lumension. "Microsoft has a strategy in place where they  opened up the WSUS [Windows Server Update Services] APIs to allow ISVs to  provide patches via Microsoft's corporate patching technology. They have done  essentially the same for the System   Center platform,  but unfortunately there has not been widespread adoption of these  capabilities by the ISV community." 
As in Microsoft's previous security reports, the numbers  show that more recent versions of Windows operating systems are less vulnerable  to attack. Nevertheless, Microsoft's Malicious Software Removal Tool detected malware  on eight of every 1,000 computers scanned in the United States during the second half  of 2009. The United States  was also the No. 1 target of rogue malware, according to the report.
"The only thing that Microsoft has done with Vista and Windows 7 is to make it much harder to use  vulnerabilities in the design of the operating system to be the vector of  attack," commented Phil Lieberman, president of Lieberman Software.
With the advent of cloud computing, Microsoft will face the  additional challenges of managing their datacenter infrastructure and the  security of their customer's data, while providing transparency on security  policies.
"Microsoft must also get into the business of helping  customers implement segregation of duties, physical security controls using mutual  authentication, for instance, machine-to-machine verification and certificate  management," Lieberman said.
        
        
        
        
        
        
        
        
        
        
        
        
            
        
        
                
                    About the Author
                    
                
                    
                    Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.