Microsoft: Third party apps killing our security

Microsoft: Third party apps killing our security

Summary: Why would hackers target Microsoft directly when there is so much low hanging fruit hanging from the Windows operating system?The short answer is that hackers won't attack Microsoft directly because they have plenty of alternatives via third party applications such as QuickTime, RealPlayer and WinZip.

SHARE:

Why would hackers target Microsoft directly when there is so much low hanging fruit hanging from the Windows operating system?

The short answer is that hackers won't attack Microsoft directly because they have plenty of alternatives via third party applications such as QuickTime, RealPlayer and WinZip. That's the big takeaway from Microsoft's Security Intelligence Report (January to June 2008), which will be unveiled Monday. Microsoft prebriefed a few folks including me and The New York Times on the key findings of the report, but the real interesting data will appear in the full blown document, which will be dissected by Ryan Naraine at Zero Day later.

This version of the Security Intelligence Report looks at the evolution of emerging threats and focuses on botnets. While the key findings highlight a few interesting threads--vulnerability disclosure continues to fall; disclosure of Microsoft software vulnerabilities continue to fall and Chinese are victims of more than 46 percent of browser-based exploits--the big item is that the software giant is being buffeted by attacks via third party applications.

Microsoft's data confirms the findings of other security vendors such as Kaspersky. For instance, hackers are attacking Vista almost entirely through third party applications.

sir1.png

Microsoft then goes into the top 10 browser vulnerabilities and notes that its software accounted for half of the biggest flaws on XP. On Vista, Microsoft software accounted for none of the top flaws. Here's the breakdown:

Top 10 browser-based vulnerabilities on XP:

sir2.png

And the top 10 browser-based vulnerabilities on Vista (click to enlarge):

sir3.png

The tale: RealPlayer, Apple QuickTime, various toolbars and other tag-along applications are vulnerable.

These statistics leave one question hanging: Is Vista really more secure or is it just that third party applications are easier to exploit? The truth is that we may never know about Vista's security level--unless third party application developers suddenly get security religion. Chances are that won't happen.

George Stathakopoulos, general manager of Microsoft product security for the Security Engineering and Communications Group, roughly agreed with my theory. He maintains that Vista is more secure--and I don't think that take is a big stretch--but the degree of security over XP may be skewed by third party applications. Simply put, Vista isn't the primary target of attackers, which are opting for easier prey.

"I think Vista is better on security. Microsoft products better on security and I think our focus is paying off. The numbers say third party applications are an issue. What we need to do as community is figure out how to solve this problem," says Stathakopoulos, reiterating his common theme. I told him that insecure third party applications may skew how secure Vista looks and he generally agreed. "Absolutely, third party applications affect the magnitude of how secure Vista looks."

Indeed, Microsoft is working on getting the ecosystem to cooperate more. Earlier this year, Microsoft launched its trusted Internet initiative, which is still in the whitepaper stage.

Among other nuggets of Microsoft's findings that stood out:

  • Brazil is the global king of password stealers and monitoring tools. More than 60 percent of the computers cleaned in Brazil had password stealers on them. Globally, Trojan Downloaders and droppers are the most popular mean of attack.
  • China is dominated by pop-up ad toolbars and browser modifiers. This malware usually stays in China since they are in Chinese.
  • Viruses still work in Korea relative to the rest of the world. Most of these infected files are swapped via peer-to-peer networks. Stathakopoulos says gaming is a primary target for attackers in Korea. Cybercrime is localized to each unique characteristic of a country.
  • The infection rate for Windows Vista is lower than Windows XP at any service pack level. Vista 64-bit infection rates are lower than the 32-bit versions.

Topics: Windows, Browser, Microsoft, Operating Systems, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

134 comments
Log in or register to join the discussion
  • Interesting...

    ...hopefully this will give pause for thought to the "XP is better!" brigade.

    It's also no surprise to see badly coded monstrosities like QuickTime and Real Player in there. Anyone using these pieces of crapware - unless they really have to - needs to have their head examined.
    Sleeper Service
    • QT and Real

      are annoying formats indeed. People should stick to things like MPEG.
      TedKraan
    • Not so easy

      Some time ago, i installed iTunes onto my XP PCs to allow me to put music onto my Motorola Razr GSM phone ( it uses iTunes as a music player and syncs to it). Then a funny thing happened - iTunes upgrades suddenly began mandatory installations of Quicktime because it was suddenly required for newer versions of iTunes to work. I don't use Quicktime at all. And now they've added even more software to that bundle. Thanks to Apple, my windows PCs are less secure today than when i didn't use their software at all.
      eMJayy
      • Apple - Insidious Security Attack?

        Clearly this was an attempt by Apple to compromise Windows systems!

        Actually that was sarcasm. I suspect it's instead an attempt to bundle their media player to make it more ubiquitous, and take share from Real / WinMedia / Flash.

        But that would be a different thread <g>
        rickb@...
        • This probably is Apple's intent

          Compromising Windows works for Apple in many ways, and their juvenile advertising comparing their toy OS with Windows makes hay of these vulnerabilities, some of which they plant with their updates and downloads. I believe these effects are not coincidential, but planned.
          cshupe@...
          • Amazing that MS lets them get away with it

            MS does control the operating system after all. Part of what operating systems are supposed to do is to determine what individual processes are and are not allowed to do.
            John L. Ries
          • Are you suggesting ...

            ... that Microsoft decide whose software should be allowed to install on Windows ... potentially overriding the user's express wishes?

            Can anyone else hear the black helecopters of the DOJ whispering in the sky outside?
            de-void-21165590650301806002836337787023
          • Uh.. Right...

            [b]MS does control the operating system after all. Part of what operating systems are supposed to do is to determine what individual processes are and are not allowed to do. [/b]

            Ok... I can just see it now... Microsoft starts dictating what can and can't run on Windows and how it can run (beyond the usual [b]PUBLISHED[/b] programming advisories and guidelines)... I can see the DOJ coming down on them like a 100 mile per hour pyroclastic flow coming out of a volcanic event - fast, devastating and overwhelming. Just ask the folks from Pompeii in AD 79.

            Actually... Microsoft already make changes like that. It's called Vista. And with Vista they removed most all 3rd party drivers from the kernal level down to a user level. And there was much whining and gnashing of teeth from SOME vendors. In fact, just as Vista was RTM'ed, Symantec chose to start their whine about how Norton AV would no longer work properly (not that it ever did, but that's another rant) because they couldn't attach their process' to the kernal like they did with previous versions of Windows. You'd think they could have done their whiny bit much earlier - like during the Alpha or Beta phase of development when there could have been changes made. NOT at the last minute after everything's been set in stone.

            Of course, other antivirus vendors managed to overcome this issue and were still able to produce antivirus products to work properly with Vista. So it would seem Symantec's whining was moot.

            But for Microsoft to stop applications like Quicktime from doing something potentially harmful.. The accusation would be quick and obvious. Microsoft is out to destroy Apple. And the DOJ's response - rip Microsoft a new one - regardless of if it's for the good of the end user or not.
            Wolfie2K3
          • Toy OS?

            Toy OS? You mean UNIX? 'Cause that's all OSX is, UNIX with a pretty wrapper.
            rickb@...
          • Toy OS

            Sounds like a troll calling my, my, uh, my "member" small.

            Ha ha ha [smiling like Enzyte Bob].

            Yeah, right.
            brian ansorge
      • RE: hanks to Apple, my windows PCs are less secure today

        Can you point to studies/surveys/articles that actually prove the point you want me to believe or are we back to Apple-bashing?
        Redsheep
        • Quicktime has been a security sieve since days of yore

          Common knowledge. Look up the CVEs or whatnot if you need to do so.

          I'm not an enthusiastic Apple-basher by any means.
          seanferd
      • RE: Thanks to Apple, my windows PCs are less secure today

        Can you point to studies/surveys/articles that actually prove the point you want me to believe or are we back to Apple-bashing?
        Redsheep
      • QT, Real et al...

        For those times I need to do so, I just use the Alternative versions of these programs.
        Way less bloated and most likely not vulnerable, and if so, patched quicker since they're both opensource IIRC.
        Both are available at www.filehippo.com
        martian@...
  • Restrictive environments

    don't allow such a broad base of malware.

    The foundation always has been the problem. You can't build a big castle with thick walls on quicksand.

    Typical blame game propaganda by the sounds of it.
    TedKraan
    • Firm Foundations

      "You can't build a big castle with thick walls on quicksand."

      True, but you can build a straw hut on a concrete foundation. If Vista is told to allow a program to run, it's going to run, security holes and all.
      TechnoCritter
  • I use Youtube often

    and what they did is good. I really disliked the whole real player thing as well.

    It was a horrid thing. Aside from which platform it was run on.
    TedKraan
  • Tell That To Some Web Seminars

    I had to attend one last week, one of the formats was in Real, fortunately they offered the slides in Adobe Acrobat and the audio in Windows Media because I don't have Real on my desktop and I refuse to put it on.
    itanalyst2@...
    • No RealPlayer, yes codecs...

      Neither do I, but I can always launch xine or mplayer to view real media (if necessary, but it rarely is) - is there no such option for windows, using other player than realplayer with the correct codecs to view that format?
      robsku
      • Use Real Alternative . . . . . (nt)

        nt
        JLHenry