Archive

Archive for the ‘Microsoft Security Intelligence Report’ Category

As strong as your weakest link: A look at application vulnerability

September 6th, 2016 No comments

When it comes to patching and updating software vulnerabilities, operating systems and web browsers seem to get all the love.

But in reality, vulnerabilities in those two types of software usually account for a minority of the publicly disclosed vulnerabilities published in the National Vulnerability Database (NVD), the U.S. government’s repository of standards-based vulnerability management data.

Where are the rest of the vulnerabilities? The majority are in applications (i.e. software that doesn’t ship as part of operating systems or browsers), and unless you’re spending time protecting those too, your application layer could be a big chink in your IT armor. CIOs, CISOs and their security teams need to focus on assessing and patching known vulnerabilities in all business apps, or they could in fact be missing the bulk of the vulnerabilities that exist in their environments.

Vulnerabilities in applications other than web browsers and operating system applications accounted for 44.2% of all disclosures in the second half of 2015.

Vulnerabilities in applications other than web browsers and operating system applications accounted for 44.2% of all disclosures in the second half of 2015.

But separating core OS applications and web browsers from the rest of the application layer can be a bit murky. Comparing vulnerabilities that affect a computer’s operating system to vulnerabilities that affect other components, such as applications and utilities, requires a determination of whether the affected component is part of an operating system. This determination is not always simple and straightforward, given the componentized nature of modern operating systems.

For example, some programs (like photo editors) ship by default with operating system software, but can also be downloaded from the software vendor’s website and installed individually. Linux distributions, in particular, are often assembled from components developed by different teams, many of which provide crucial operating functions such as a graphical user interface (GUI) or Internet browsing.

To help companies navigate this issue and facilitate analysis of operating system and browser vulnerabilities, the Microsoft Security Intelligence Report distinguishes among four different kinds:

  • Core operating system vulnerabilities are those with at least one operating system platform enumeration in the NVD that do not also have any application platform enumerations.
  • Operating system application vulnerabilities are those with at least one OS platform enumeration and at least one application platform enumeration listed in the NVD, except for browsers.
  • Browser vulnerabilities are those that affect components defined as part of a web browser, including web browsers such as Internet Explorer and Apple’s Safari that ship with operating systems, along with third-party browsers such as Mozilla Firefox and Google Chrome.
  • Other application vulnerabilities are those with at least one application platform enumeration in the NVD that do not have any OS enumerations, except for browsers.

With those distinctions in mind, the latest SIR reports that disclosures of vulnerabilities in applications decreased in the second half of 2015, but remained the most common type of vulnerability during the period, accounting for 44.2 percent of all disclosures — a big number that any organization’s security team should be paying attention to.

Meanwhile, the other categories are important too. Core operating system vulnerability disclosures increased dramatically from the first half of the year, moving into second place at 24.5 percent. Operating system application disclosures decreased slightly to account for 18.6 percent, while browser disclosures increased by more than a third to account for 12.8 percent.

The key to keeping any organization safe is to stay on top of all disclosures, no matter which part of the stack they belong in. To stay on top of possible vulnerabilities across your software stack, take a look at our latest Security Intelligence Report and the information available through the NVD. And for a high-level look at the top 10 trends and stats that matter most to security professionals right now, be sure and download our 2016 Trends in Cybersecurity e-book.

Microsoft Security Intelligence Report Volume 19 is now available

November 18th, 2015 No comments

We’ve just published hundreds of pages of new threat intelligence available for free download at www.microsoft.com/sir.

This includes threat data from the first half of 2015 as well as longer term trend data on the industry vulnerabilities, exploits, malware, and malicious websites that your organization should use to assess your current security posture. We are also providing threat data for over 100 countries/regions.

Additionally, this volume of the report includes a case study and profile on a determined adversary code name “Strontium.” This case study provides insight into the techniques that these modern threat actors are using. My colleagues in the Microsoft Malware Protection Center have written an article on Strontium that will give you more details and context: http://blogs.technet.com/b/mmpc/archive/2015/11/18/microsoft-security-intelligence-report-strontium.aspx.

Also included in this volume of the report is an in-depth look at the malware behind much of the bank fraud that has characterized the threat landscape in Brazil for the better part of the last decade. This is required reading for financial services customers.

One of my favorite new data-sets in this report is exploit detection data from the IExtensionValidation interface in Internet Explorer 11. Essentially this interface enables real-time security software to block ActiveX controls from loading on malicious web pages. When Internet Explorer loads a webpage that includes ActiveX controls, if the security software has implemented IExtensionValidation, the browser calls the security software to scan the HTML and script content on the page before loading the controls themselves. If the security software determines that the page is malicious (for example, if it identifies the page as an exploit kit landing page), it can direct Internet Explorer to prevent individual controls or the entire page from loading. The interface helps protect our customers and the data it provides helps us understand how attackers are evolving their web-based attacks such as drive-by download attacks and watering hole attacks. The data in figure 1 shows how attackers have shifted from attacking Flash and Java controls in almost the same frequency to targeting Flash almost 100% of the time. This illustrates the importance of ensuring that Flash is being patched efficiently in your environment.

Figure 1: ActiveX controls detected on malicious webpages through IExtensionValidation, 3Q14–2Q15, by control type
111615_01

And of course, the report also contains the guidance your organization can use to protect its data and assets.

You can download Volume 19 of the Microsoft Security Intelligence Report at www.microsoft.com/sir.

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection

Historic High Infection Rates – The Threat Landscape in the Middle East

October 21st, 2015 No comments

I have written about the threat landscape in the Middle East extensively over the years. It’s been about 18 months since I published my last article on this part of the world and malware infection rates in some locations in the region have since risen to historic highs – far above the highest malware infection rates ever published in the Microsoft Security Intelligence Report. So I thought I’d take a fresh look at what has been happening in some locations in the Middle East.

If you are interested in some of the analysis and insights that we have published in the past, here are some of the most recent articles:

The Threat Landscape in the Middle East and Southwest Asia – Part 1: Relatively High Malware Infection Rates
The Threat Landscape in the Middle East and Southwest Asia – Part 2: Relatively High Malware Encounter Rates
The Threat Landscape in the Middle East and Southwest Asia – Part 3: Regional Anti-virus Software Usage
The Threat Landscape in the Middle East and Southwest Asia – Part 4: Regional Windows XP Market Share
Threat Landscape in the Middle East and Southwest Asia – Part 5: Socio-economic Factors and Regional Malware Infection Rates
Threat Landscape in the Middle East and Southwest Asia – Part 6: Best Practices from Locations with Low Malware Infection Rates
Regime Stability, Demographic Instability and Regional Malware Infection Rates – Part 1: Egypt
Regime Stability, Demographic Instability and Regional Malware Infection Rates – Part 2: Syria
The Threat Landscape in the Middle East – Part 3: Israel and Saudi Arabia

The malware infection rates (CCM) in the Middle East have typically been well above the worldwide average. The exception has tended to be Israel where the infection rate has closely mirrored the worldwide average during many time periods as seen in Figure 1.

Before I explore what happened in late 2013 and 2014 to drive infection rates significantly higher in all the locations listed in Figure 1, you might also be wondering about Qatar’s relatively high infection rate in the first quarter of 2011 (1Q11) that can be seen in Figure 1? You can read about that in a previously published article: The Threat Landscape in the Middle East – Part 1: Qatar.

Figure 1: the malware infection rates (CCM) for Egypt, Iraq, Israel, Oman, the Palestinian Authority, Qatar, Saudi Arabia, Syria, the United Arab Emirates, and the worldwide average per quarter for the years 2011 through 2014
102115_01

All of the locations listed in Figure 1 had malware infection rates above the worldwide average in all four quarters of 2014. There is a clear increase in the CCM in most of these locations starting in the fourth quarter of 2013 (4Q13) or the first quarter of 2014 (1Q14). Qatar and the United Arab Emirates (UAE) saw increases in CCM in 4Q13; Qatar’s CCM increased 2.4 times from 11.4 to 27.7, while the UAE’s CCM increased 2.8 times from 12.2 to 34.0. But then the CCM in both locations leveled out and decreased in the last half of 2014, as did the worldwide average. Several other locations that saw their CCMs increase in 4Q13, continued to see large CCM increases in the following quarter.

One of the largest infection rate increases was in Iraq. The CCM in Iraq increased from 31.3 in 4Q13 to 110.7 in 1Q14, a 3.5 times increase. Examining the threat families responsible for this very large increase leads us to two families: MSIL/Bladabindi and Win32/Jenxcus. Detection for Bladabindi was added to the Microsoft Windows Malicious Software Removal Tool (MSRT) in January of 2014. Subsequently, Bladabindi was found and removed from 27.9 systems for every 1,000 systems that the MSRT executed on in Iraq in 1Q14. Detection for Jenxcus was added to MSRT in February of 2014 and it was also a prevalent threat in the region, found and removed from 25.2 systems for every 1,000 systems that the MSRT executed on in Iraq during the same period. The sudden increase in detections of these two families is the primary reason for the infection rate increase in Iraq at the beginning of 2014 and the subsequent decrease over time as fewer and fewer systems were found to be infected with these two families of threats.

MSIL/Bladabindi can steal sensitive information and send it to a malicious hacker. This threat family can also download other malware and provider attackers with backdoor access on compromised systems. Variants of this family can spread via infected removable drives, such as USB flash drives. They can also be downloaded by other malware, or spread though malicious links and hacked websites. Bladabindi variants are usually installed with an enticing name and icon to trick people into running it.

Win32/Jenxcus uses social engineering to trick the victim into running a malicious script file that is commonly bundled with other programs. When the program bundle is executed Jenxcus runs silently in the background. Win32/Jenxcus also operates as a worm that detects whether the victim’s system has a removable drive connected to it. If it does, it copies itself onto that drive. It also creates a shortcut link pointing to its copy in the removable drive. Typically, this threat gets onto vulnerable systems via drive-by download attacks or via infected removable drives.

Beyond the CCM increase seen in Iraq, Figure 1 illustrates smaller but similar CCM increases for several other locations in the region including Egypt, Oman, Palestinian Authority (West Bank and Gaza Strip), Saudi Arabia, and Syria. Win32/Jenxcus was the primary threat family driving CCMs higher in the first quarter of 2014 in all of these locations except Syria.

In Syria Win32/Gamarue and Win32/Sality were responsible for driving the infection rate from a CCM of 34.0 in the fourth quarter of 2013 to 75.5 in the first quarter of 2014.

Besides Win32/Jenxcus, Sality also contributed to the infection rate increase in Egypt, where it has been a prevalent threat for some time. I’ve written about this before: Are Viruses Making a Comeback? Egypt’s CCM increased to 73.2 in the first quarter of 2014 from 27.6 the prior quarter, a 2.7 times increase.

Whereas infection rate (CCM) data comes from the Malicious Software Removal Tool, the encounter rate (ER) is the percentage of computers running Microsoft real-time security software that report detecting malware, or report detecting a specific threat or family, during a period. Most of these encounters are from systems running Microsoft Security Essentials or Windows Defender (on Windows 8.1) reporting that they blocked malware from installing on them. For example, the worldwide average encounter rate in the fourth quarter of 2014 (4Q14) was 15.9%. As seen in Figure 2, with the exception of Israel, several locations in the Middle East have significantly higher than average ERs. I can’t show you the ER for all the countries we have CCM data for, as we don’t have enough systems reporting ER data from some of the locations in the region during this period of time.

Figure 2: the encounter rates (ER) for Egypt, Iraq, Israel, Qatar, Saudi Arabia, the United Arab Emirates, and the worldwide average per quarter for the period between the 3rd quarter of 2013 through the 4th quarter of 2014
102115_02
Notice how the ER increases in the third quarter of 2013 (3Q13) as opposed to the first quarter of 2014 where we saw large increases in infection rates in the region. A few threats were involved in this increase. In most of these locations Win32/Rotbrow, Win32/Brantall, and INF/Autorun, and VBS/Jenxcus all contributed to higher ERs during this period of time.

Malware families that use Autorun feature abuse (Win32/Autorun), have been some of the most prevalent threats encountered in the region for many years. These threats typically spread via USB drives and other removal media. I theorize that this type of threat is encountered in the Middle East so much because Internet connectivity is inconsistent in some locations, likely due to higher than average strife in places like Syria, Egypt, and Iraq. Subsequently, I postulate that people in these locations transfer files using removable media more often than many other places, exposing more systems to Autorun attacks. It’s just an educated guess. I have written about this threat before: Defending Against Autorun Attacks.

Figure 3: infographic to the right which shows how these worms can spread Autorun infographic that shows how these worms can spread
102115_03

A drive-by download site is a website that hosts one or more exploits that target vulnerabilities in web browsers and browser add-ons. Users with vulnerable computers can be infected with malware simply by visiting such a website, even without attempting to download anything. Drive-by download pages are usually hosted on legitimate websites to which an attacker has posted exploit code. Attackers gain access to legitimate sites through intrusion or by posting malicious code to a poorly secured web form,

like a comment field on a blog. Compromised sites can be hosted anywhere in the world and concern nearly any subject imaginable, making it difficult for even an experienced user to identify a compromised site from a list of search results.

Figure 4: Drive-by download pages indexed by Bing at the end of the fourth quarter of 2014 (4Q14), per 1,000 URLs in each country/region102115_04
Only Syria stands out with substantially higher concentrations of drive-by download sites in the region during 3Q13, 4Q13, and 4Q14.

Figure 5: Concentration of drive-by download URLs tracked by Bing in select locations in the Middle East on a reference date at the end of the associated quarter, expressed as the number of drive-by download URLs per every 1,000 URLs hosted in the country/region.
102115_05

I asked Cyril Voisin, Microsoft’s Chief Security Advisor in the Middle East and Africa, who is based in the UAE, how people in the region should protect themselves. The following is what Cyril recommended.

Arabic peninsula and Northern Africa countries were particularly affected by MSIL/Bladabindi and Win32/Jenxcus as these were part of attacks targeting Arabic speaking people, making them less suspicious as their language was used in order to lure them. For our larger MEA region, as well as for any other location in the world, I think the number 1 protection is the vigilance of users.

At the end of the day this boils down to:

  • Stay aware of risks and use your judgement as your best defense. And please spread the word by talking to your family and community members to increase their online safety. Anytime you are about to take any potentially harmful decision, reflect before you act and look for clues indicating phishing. Would this person really write to me in a foreign language to warn me about a picture were I look funny? Would this website confirm an order I did not make without calling me by my name? Would my bank require new urgent security information without notice? And of course everyone proposing to share their fortune with you only wants to get your money to build their own fortune… Finally beware of tech support phone scams where someone will call you directly and try to manipulate you over the phone, pretending for instance to be working for Microsoft support and asking you to install software on your machine, in order to take control of it.
  • Enforce basic hygiene. Again, this is not new, and with the risk of sounding as a broken record, I would like to remind everyone about the basics. If you want to skip that section, one recommendation though: upgrade to Windows 10 to benefit from all the security work that has been done to enhance your protection and automate some of the tasks below and beyond.
    • Keep everything up to date (all software on your PC, your tablet, your smartphone): that means applying updates for your system and applications, including browser, plug-ins, music software… as newer software is better for security.
    • Run an up-to-date antimalware solution and keep in mind that the presence of this security tool does not mean you can take inconsiderate risks
    • Use a firewall
    • Choose good passwords where they are necessary. Hint: Windows Hello and Microsoft Passport are your friends.

I hope you found this analysis informative and useful. You can find the latest data on the locations I examined in this series and many others at http://microsoft.com/sir.

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection

The Latest Picture of the Threat Landscape in the European Union – part 2

June 29th, 2015 No comments

In part 1 of this series on the threat landscape in the European Union (EU) I examined the encounter and infection rates among EU member countries/regions, focusing on a couple of the locations with highest malware encounter rates (ER) and infection rates (CCM).

In part 2 of the series I’ll focus on the locations in the EU with the lowest ERs and CCMs, I’ll also examine the top threats found in the region in the last half of 2014.

Figure 1 illustrates the locations in the EU that have the lowest ERs. Finland, Denmark, Sweden, Ireland, Germany, and Austria had the lowest ERs in the EU in the last quarter of 2014. These locations have consistently had lower ERs than the worldwide average.

Figure 1: Locations with the lowest encounter rates in the EU in the third (3Q14) and fourth (4Q14) quarters of 2014

Taking a closer look at Finland in Figure 2, the location with the lowest ER in the EU, we can see every category of threat is encountered significantly less frequently by systems in Finland than the worldwide average.
0629_Figure1

Figure 2: (left) malware categories encountered in Finland in the fourth quarter of 2014 compared to the worldwide averages; (right); unwanted software categories encountered in Finland and worldwide during the last quarter of 2014
0629_Figure2

Although Norway is not a member of the EU, my coworkers and many of the customers I have met in Norway would want me to mention that Norway is another location in the region with one of the healthiest ecosystems in the world, as is Japan.

Figure 3: (left) Encounter and infection rates for Norway during each quarter of 2014; (right) Encounter and infection rates for Japan during each quarter of 2014
0629_Figure3

Looking at the locations in the EU with the lowest malware infection rates we can see some of the locations with the lowest ERs in the region also have low infection rates, including Finland, Denmark, Sweden, Ireland, and Austria. Estonia had a consistently low infection rate through all four quarters of 2014. We didn’t have enough data to publish an ER for Luxembourg, but its infection rate was consistent with other low infection rate locations in the region during 2014. The Netherlands also has consistently low infection rates.

Figure 4: Locations in the EU with the lowest malware infection rates (CCM) in the last quarter of 2014
0629_Figure4

Although there are locations in the EU with consistently low infection rates, this doesn’t mean those locations don’t experience temporary dramatic infection rate increases. For example, Figure 5 illustrates some dramatic infection rate increases that took place in Austria and the Netherlands in 2011 when the Win32/EyeStye Trojan (also known as SpyEye) was detected and cleaned from a relatively large number of systems in Austria, the Netherlands, Germany and Italy. I visited numerous enterprise customers in the region during that time period to discuss this threat with them.

Figure 5: (left) The infection rate trend for Austria between the third quarter of 2011 and the second quarter of 2013; (right) the infection rate trend for the Netherlands between the third quarter of 2011 and the fourth quarter of 2012
0629_Figure5

Some locations in the EU saw great infection rate improvements in 2014. Figure 6 illustrates some of the biggest infection rate improvements in the region. France, Italy, Portugal, and Spain all ended 2014 with infection rates lower than the worldwide average after starting the year with significantly higher CCMs. Interestingly, over the years I have noticed elevated levels of Adware among these locations relative to the worldwide average, and the fourth quarter of 2014 was no different. With the exception of Portugal, these locations also all had elevated levels of Trojan Downloaders & Droppers during the last quarter of the year.

Figure 6: The largest CCM improvements in the EU in the second half of 2014
0629_Figure6

The most prevalent threat families found in the EU during the second half of 2014 are listed in Figure 7. Having only one commercial exploit kit (JS/Axpergle, also known as Angler) in the top ten threats in the region is good news as they are typically used by attackers to spread ransomware and other malware to unpatched systems. The top three threats in the EU in the fourth quarter of 2014 were all families of worms that typically spread through via unsecured file shares and removal media like USB drives.

Figure 7: The top 10 threat families in the EU in the second half of 2014
0629_Figure7

The good news is that many of these threats can be mitigated by keeping systems up-to-date with security updates and running up-to-date antimalware software. Could it be that locations in the EU that have relatively high malware infection rates also have relatively low antimalware software adoption/usage?

In part 3 of this series on the threat landscape in the EU I’m going to look at which locations in the EU have the highest and lowest usage of real-time antimalware software in the region – a key protection technology. I’m also going to examine which locations in the region host the most drive-by download attacks – a favorite malware distribution method for attackers.

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection

Latest data shows newer versions of Windows have lower malware infection rates than older versions

May 19th, 2015 No comments

We released the latest volume of the Microsoft Security Intelligence Report last week. The latest data on how different versions of the Windows operating system are mitigating modern malware attacks suggests that newer versions are performing better than older versions.

The figure below illustrates the malware infection rates for Windows client and server operating systems in the third and fourth quarters of 2014 based on data from hundreds of millions of systems worldwide. This data is normalized, meaning the infection rate for each version of Windows is calculated by comparing an equal number of computers per version; for example, comparing 1,000 Windows Vista Service Pack 2 (SP2) based systems to 1,000 Windows 8.1 based systems in the fourth quarter of 2014 we can see 5.2 Windows Vista based systems infected with malware compared to 1.3 Windows 8.1 systems infected. In percentage terms, that’s equivalent to 0.52% of Windows Vista based systems (5.2/1,000*100 = 0.52) compared to 0.13% of Windows 8.1 based systems (1.3/1,000*100) infected with malware.

Figure: Infection rate by client and server operating system in the third and fourth quarters of 2014 (3Q14/4Q14)
2H14 CCM-OS

The newest versions of both Windows client and server operating systems had the lowest malware infection rates during the period, by a large margin.

Some of the CISOs and IT professionals I talk to use this operating system infection rate data to help make a business case for upgrading to newer, more secure software or deploying more secure service packs for their current platforms. As you can see from the latest data, newer is better across the board.

You can download this data in volume 18 of the Microsoft Security Intelligence Report at http://microsoft.com/sir.

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection

The life and times of an exploit

May 18th, 2015 No comments

Just this week we released the latest Microsoft Security Intelligence Report that focuses on the threat landscape in the second half of 2014. The “featured intelligence” included in the new volume of the report examines the increased speed at which purveyors of commercial exploit kits are trying to take advantage of newly disclosed vulnerabilities, even in cases where security updates have been developed, released and deployed to hundreds of millions of systems around the world.

New exploits are appearing in commercial exploit kits faster
This new research shows us that such attackers are simply trying to take advantage of organizations that have lengthy or long lead time security update testing and deployment processes. Organizations with relatively slow or periodic security update deployment processes should use this research to evaluate whether their current processes continue to be effective at managing related risks or whether new efficiencies are warranted given the increased speed that some modern day attackers have been demonstrating recently. The research confirms what many of the CISOs and security professional I talk to already know: swiftly testing and applying security updates as they are released remains one of the best ways organizations can protect themselves from attacks.

Microsoft researchers used CVE-2014-6332, which was addressed in Security Bulletin MS14-064, as a case study. The vulnerability was reported to Microsoft, a security update was engineered and tested, and then deployed to hundreds of millions of systems around the world starting on Tuesday November 11th, 2014.

Tools that enable automated reverse engineering of security updates have been around for many years. But from past research we have seen that it can typically take several weeks or even months before such exploits appear as part of commercial exploit kits that attackers can rent or lease. In the second half of 2014 we saw that timeframe reduced dramatically. In the case of CVE-2014-6332 it was first observed being used in commercial exploit kits just 4 or 5 days after the first attacks in the wild were observed.
CVE-2014-6332

The Good News
The good news is that by the time these attacks started the security update, MS14-064, had been deployed to hundreds of millions of systems around the world making the exploit ineffective on them. Many organizations that practice rapid security update deployment processes were deploying the update before attackers could start broad attacks using exploit kits. For organizations that had slower deployment processes, Microsoft shared signature development guidance for CVE-2014-6332 with our Active Protections Program (MAPP) partners who released signatures at the same time Microsoft released MS14-064. This helps detect and block attacks using the vulnerability on unpatched systems, thus, in many cases, giving them more time to test and deploy the security update.

Deploying security updates quickly is the most effective mitigation
Once attackers have a working exploit they will continue to try to use it for years into the future. It’s important to promptly install all relevant security updates as soon as is practical as this remains one of the best ways to help defend users and systems against newly discovered threats. It also pays security dividends to use the products from MAPP partners as they work closely with Microsoft to help customers stay ahead of attackers.

You can get full details of this new research in volume 18 of the Microsoft Security Intelligence Report.

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection

Mass vulnerabilities in Android applications spike industry vulnerability disclosures in 4th Quarter 2014

May 14th, 2015 No comments

We have included data and analysis on industrywide vulnerability disclosures in the Microsoft Security Intelligence Report (SIR) for many years. We compile and analyze this information using vulnerability disclosure data that is published in the National Vulnerability Database (NVD) – the US government’s repository of standards-based vulnerability management data at nvd.nist.gov. The NVD represents all vulnerability disclosures that have a published Common Vulnerabilities and Exposures identifier (CVE).

The vulnerability disclosure data published in the just released volume of the SIR, volume 18, suggests that there was a 56.3% increase in vulnerability disclosures between the third and fourth quarters of 2014. After many periods of relatively small changes in disclosure totals, the 4,512 vulnerabilities disclosed during the second half of 2014 is the largest number of vulnerabilities disclosed in any half-year period since the CVE system was launched in 1999.

Figure 1: Industrywide vulnerability disclosures between the first half of 2012 (1H12) and the second half of 2014 (2H14)
2H14 Vulnerabilities

This large increase in disclosures is predominantly the result of work performed by the Computer Emergency Response Team (CERT) Coordination Center (CERT/CC) in the second half of 2014 to scan Android applications in the Google Play Store for man-in-the-middle vulnerabilities using an automated tool called CERT Tapioca.[1] CERT/CC determined that thousands of Android apps fail to properly validate SSL certificates provided by HTTPS connections, which could allow an attacker on the same network as an Android device to perform a man-in-the-middle attack on the device.[2]

This project resulted in the creation of almost 1,400 individual CVEs affecting thousands of different publishers of Android apps and code libraries. Without the Android application vulnerabilities discovered by CERT/CC, vulnerability disclosures across the entire industry would have increased about 8% in the second half of 2014 – which would be more consistent with the increases observed over the past several half-year periods.

All of the Android SSL vulnerabilities discovered by CERT/CC are medium-severity (CVSS scores from 4 to 7.9) and medium-complexity vulnerabilities that affect non-operating-system applications. This increased the number of medium-severity and medium-complexity vulnerability disclosures sharply compared to past periods. For example, medium-severity vulnerability disclosures increased from 59.6% of all vulnerabilities in the first half of 2014 to 72.5% in the second half of the year.

Figure 2: left: Industrywide vulnerability disclosures in the first half of 2014, by severity; right: left: Industrywide vulnerability disclosures in the second half of 2014, by severity
2H14 Vulnerability Severity

Medium-severity vulnerabilities accounted for almost the entire increase in disclosures seen in the last six months of 2014.

Figure 3: Industrywide vulnerability disclosures by severity, between the first half of 2012 (1H12) and the second half of 2014 (2H14)
2H14 Vulnerabilities by Severity

Some vulnerabilities are easier to exploit than others. Vulnerability complexity is an important factor to consider in determining the risk that each vulnerability poses. The CVSS assigns each vulnerability a complexity ranking of Low, Medium, or High. Medium-complexity vulnerabilities accounted for the largest category of disclosures in the second half of 2014 as well as the bulk of the significant increase in total disclosures observed during the period. Medium-complexity vulnerability disclosures doubled in the period between the first and second halves of 2014, increasing from 48.0% of all disclosures in the first half of the year to 61.5% in the second half of the year. Of note, disclosures of Low-complexity vulnerabilities (those that are the easiest to exploit) also increased significantly in the last six months of 2014. Low-complexity vulnerability disclosures increased 20.3% between the first and second halves of 2014, although their share of all vulnerabilities declined from 48.0% to 36.9% because of the sharp increase in Medium-complexity vulnerability disclosures in the same period.

Figure 4: Industrywide vulnerability disclosures by access complexity, between the first half of 2012 (1H12) and the second half of 2014 (2H14)
2H14 Vulnerabilities by Complexity

Many of the CISOs and security professionals I talk to are typically primarily concerned about vulnerabilities in operating systems and web browsers. But Figure 5 illustrates that there are typically more vulnerability disclosures in applications than in operating systems and browsers combined, and the almost 1,400 individual CVEs affecting thousands of different publishers of Android apps and code libraries accentuate this trend. Disclosures of vulnerabilities in applications other than web browsers and operating system applications increased 98.3% in the second half of 2014 and accounted for 76.5% of total disclosures for the period.

Figure 5: Industrywide operating system, browser, and application vulnerabilities, between the first half of 2012 (1H12) and the second half of 2014 (2H14)
2H14 Vulnerabilities by Type

You can get more details on vulnerability disclosure trends in the latest Microsoft Security Intelligence Report, available at http://microsoft.com/sir.

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection

 

[1] Will Dormann, “Finding Android SSL Vulnerabilities with CERT Tapioca,” Cert/CC Blog, September 3, 2014, http://www.cert.org/blogs/certcc/post.cfm?EntryID=204.

[2] CERT Coordination Center, “Vulnerability Note VU#582497: Multiple Android applications fail to properly validate SSL certificates,” Vulnerability Notes Database, http://www.kb.cert.org/vuls/id/582497.

Latest Microsoft Security Intelligence Report Now Available

May 14th, 2015 No comments

Volume 18 of the Microsoft Security Intelligence Report (SIR) is now available at http://microsoft.com/sir.

SIRv18 Cover

This volume of the SIR focuses on the second half of 2014 and contains longer term trend data as well. SIR volume 18 contains data, insights and practical guidance on a range of global and regional cybersecurity threats including vulnerability disclosures, malware and unwanted software including the latest on Ransomware, malicious websites such as drive-by download sites, and exploit activity including exploits used in targeted attacks. Deep dives into the threat landscape in over 100 countries/regions are also available.

The “Featured Intelligence” section of the report is on “The life and times of an exploit.” This section explores the increased speed at which some attackers are able to reverse engineer security updates, illustrating the critical need to update systems as quickly as possible once security updates have been published by vendors.

The SIR also contains actionable guidance to help mitigate the threats reported to us from hundreds of millions of systems worldwide. This also includes guidance based on the threats that Microsoft’s IT department, MSIT, detect and mitigate in the course of protecting Microsoft’s corporate network which spans every region of the world.

Susan Hauser, Corporate Vice President, Worldwide Enterprise Partner Group highlights some of the key findings in the new SIR and guidance for enterprise customers on her blog.

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection

Latest Microsoft Security Intelligence Report Now Available

May 14th, 2015 No comments

Volume 18 of the Microsoft Security Intelligence Report (SIR) is now available at http://microsoft.com/sir.

SIRv18 Cover

This volume of the SIR focuses on the second half of 2014 and contains longer term trend data as well. SIR volume 18 contains data, insights and practical guidance on a range of global and regional cybersecurity threats including vulnerability disclosures, malware and unwanted software including the latest on Ransomware, malicious websites such as drive-by download sites, and exploit activity including exploits used in targeted attacks. Deep dives into the threat landscape in over 100 countries/regions are also available.

The “Featured Intelligence” section of the report is on “The life and times of an exploit.” This section explores the increased speed at which some attackers are able to reverse engineer security updates, illustrating the critical need to update systems as quickly as possible once security updates have been published by vendors.

The SIR also contains actionable guidance to help mitigate the threats reported to us from hundreds of millions of systems worldwide. This also includes guidance based on the threats that Microsoft’s IT department, MSIT, detect and mitigate in the course of protecting Microsoft’s corporate network which spans every region of the world.

Susan Hauser, Corporate Vice President, Worldwide Enterprise Partner Group highlights some of the key findings in the new SIR and guidance for enterprise customers on her blog.

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection

Latest Microsoft Security Intelligence Report Now Available

May 11th, 2015 No comments

Volume 18 of the Microsoft Security Intelligence Report (SIR) is now available at http://microsoft.com/sir.

This volume of the SIR focuses on the second half of 2014 and contains longer term trend data as well. SIR volume 18 contains data, insights and practical guidance on a range of global and regional cybersecurity threats including vulnerability disclosures, malware and unwanted software including the latest on Ransomware, malicious websites such as drive-by download sites, and exploit activity including exploits used in targeted attacks. Deep dives into the threat landscape in over 100 countries/regions are also available.

The “Featured Intelligence” section of the report is on “The life and times of an exploit.” This section explores the increased speed at which some attackers are able to reverse engineer security updates, illustrating the critical need to update systems as quickly as possible once security updates have been published by vendors.

The SIR also contains actionable guidance to help mitigate the threats reported to us from hundreds of millions of systems worldwide. This also includes guidance based on the threats that Microsoft’s IT department, MSIT, detect and mitigate in the course of protecting Microsoft’s corporate network which spans every region of the world.

Susan Hauser, Corporate Vice President, Worldwide Enterprise Partner Group highlights some of the key findings in the new SIR and guidance for enterprise customers on her blog.

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection

The Threat Landscape in Canada

October 15th, 2013 No comments

Last week I had the opportunity to speak at the Security Education Conference Toronto 2013 (SECTor). I love Canada; Toronto is an amazing city, and the conference was excellent.

During my session at the conference I discussed the threat landscape in Canada, based on data from various volumes of the Microsoft Security Intelligence Reports. Canada’s malware infection rate (CCM) has been consistently lower than the worldwide average for several years as seen in Figure 1. Canada’s malware infection rate increased (almost doubled) in the first quarter of 2013 (1Q13). Despite this increase, the malware infection rate in the United States was almost double Canada’s in the same time period – as it saw a similar increase. The infection rates in the United Kingdom and France were lower than Canada’s in the first half of 2013, which isn’t unusual. Read more.

…(read more)