Security Vulnerabilities Down but Still Strong

Although the frequency of security vulnerabilities continues to decline, vendors were still preoccupied with patching last year.

The latest edition of Microsoft Corp.'s bi-annual Security Intelligence Report (SIR) is a mixed bag.

The new Microsoft SIR covers the last six months of 2010 and paints a picture of a threat landscape in which vulnerability disclosures are down across the board. This includes application-specific vulnerabilities, which historically have accounted for the vast majority of exploit activity. On top of this, the frequency of extremely critical vulnerabilities dropped by more than a quarter last year and has been declining since 2006, too.

Why the mixed bag? For one thing, vulnerability reporting is down but not gone. Last year, for example, vendors disclosed nearly 4,000 application-specific vulnerabilities. In addition, the frequency of both browser- and operating system-specific vulnerabilities has remained basically flat over the last half-decade.

Fewer and Farther Between?

On the plus side, Microsoft's SIR finds vulnerability disclosure rates have been declining for the last five years, a development the software giant attributes to "better development practices and quality control throughout the industry."

Between 2009 and 2010, industry-wide vulnerability disclosure rates had dropped by 16.5 percent, the SIR points out.

By 2010, vulnerabilities that were rated a "Medium" security risk by Microsoft -- i.e., those that scored between 4 and 6.9 on its severity index -- were down by approximately one-third relative to their 2006 tallies.

Disclosures of "High" risk vulnerabilities (those scoring between 7 and 10 on the index) were down by almost 30 percent, relative -- again -- to 2006.

Last year, "Medium" severity flaws accounted for almost half of all vulnerability disclosures. "High" severity issues made up almost 40 percent, with the most severe vulnerabilities (those scoring at 9.9 or 10 on the index) accounting for 5.5 percent of this total. This marks a significant improvement (28 percent) over 2009's tally.

Security flaws are likewise becoming harder to exploit: the frequency of "Low" complexity exploits dropped precipitously over the last half decade, by approximately 56 percent. Although the frequency of "Medium" complexity exploits increased over the same period, it's mostly leveled off since 2008. The frequency of "High" complexity vulnerability exploits has basically been static since 2007.

On the other hand, Microsoft itself doesn't seem to be benefitting from this trend.

According to the SIR, for example, "vulnerability disclosures for Microsoft products increased slightly in 2010." Last year's uptick may have been an anomaly, however; the SIR explains that disclosure rates for Microsoft products "have generally remained stable over the past several periods."

Microsoft's share of security vulnerability disclosures increased last year, too: in 2010, the company accounted for 7.2 percent of all vulnerabilities; in 2009, its share stood at 4.5 percent. Microsoft attributes this uptick to "the overall decline in vulnerability disclosures across the industry during that time."

Exploit Ground Zero

Last year marked the emergence of Java as a popular attack vector for malware authors: Java-specific exploits used to be comparatively rare -- at least relative to ever-popular exploit targets such as HMTL or JavaScript.

That changed starting in the third quarter of 2010, when Java-specific exploit activity spiked. This rise was an anomaly, however. "[T]he number of Java attacks increased to fourteen times the number of attacks recorded in [the second quarter of 2010], driven mostly by the exploitation of a pair of vulnerabilities in versions of the Sun (now Oracle) JVM," the report notes. "Together, these two vulnerabilities accounted for 85 percent of the Java exploits detected in the second half of 2010."

Must Read Articles