Microsoft: Third party apps killing our security

Why would hackers target Microsoft directly when there is so much low hanging fruit hanging from the Windows operating system?

The short answer is that hackers won’t attack Microsoft directly because they have plenty of alternatives via third party applications such as QuickTime, RealPlayer and WinZip. That’s the big takeaway from Microsoft’s Security Intelligence Report (January to June 2008), which will be unveiled Monday. Microsoft prebriefed a few folks including me and The New York Times on the key findings of the report, but the real interesting data will appear in the full blown document, which will be dissected by Ryan Naraine at Zero Day later.

This version of the Security Intelligence Report looks at the evolution of emerging threats and focuses on botnets. While the key findings highlight a few interesting threads–vulnerability disclosure continues to fall; disclosure of Microsoft software vulnerabilities continue to fall and Chinese are victims of more than 46 percent of browser-based exploits–the big item is that the software giant is being buffeted by attacks via third party applications.

Microsoft’s data confirms the findings of other security vendors such as Kaspersky. For instance, hackers are attacking Vista almost entirely through third party applications.

Microsoft then goes into the top 10 browser vulnerabilities and notes that its software accounted for half of the biggest flaws on XP. On Vista, Microsoft software accounted for none of the top flaws. Here’s the breakdown:

Top 10 browser-based vulnerabilities on XP:

And the top 10 browser-based vulnerabilities on Vista (click to enlarge):

The tale: RealPlayer, Apple QuickTime, various toolbars and other tag-along applications are vulnerable.

These statistics leave one question hanging: Is Vista really more secure or is it just that third party applications are easier to exploit? The truth is that we may never know about Vista’s security level–unless third party application developers suddenly get security religion. Chances are that won’t happen.

George Stathakopoulos, general manager of Microsoft product security for the Security Engineering and Communications Group, roughly agreed with my theory. He maintains that Vista is more secure–and I don’t think that take is a big stretch–but the degree of security over XP may be skewed by third party applications. Simply put, Vista isn’t the primary target of attackers, which are opting for easier prey.

“I think Vista is better on security. Microsoft products better on security and I think our focus is paying off. The numbers say third party applications are an issue. What we need to do as community is figure out how to solve this problem,” says Stathakopoulos, reiterating his common theme. I told him that insecure third party applications may skew how secure Vista looks and he generally agreed. “Absolutely, third party applications affect the magnitude of how secure Vista looks.”

Indeed, Microsoft is working on getting the ecosystem to cooperate more. Earlier this year, Microsoft launched its trusted Internet initiative, which is still in the whitepaper stage.

Among other nuggets of Microsoft’s findings that stood out:

• Brazil is the global king of password stealers and monitoring tools. More than 60 percent of the computers cleaned in Brazil had password stealers on them. Globally, Trojan Downloaders and droppers are the most popular mean of attack.
• China is dominated by pop-up ad toolbars and browser modifiers. This malware usually stays in China since they are in Chinese.
• Viruses still work in Korea relative to the rest of the world. Most of these infected files are swapped via peer-to-peer networks. Stathakopoulos says gaming is a primary target for attackers in Korea. Cybercrime is localized to each unique characteristic of a country.
• The infection rate for Windows Vista is lower than Windows XP at any service pack level. Vista 64-bit infection rates are lower than the 32-bit versions.