Archive

Archive for the ‘Microsoft Security Intelligence Report Volume 18’ Category

Latest data shows newer versions of Windows have lower malware infection rates than older versions

May 19th, 2015 No comments

We released the latest volume of the Microsoft Security Intelligence Report last week. The latest data on how different versions of the Windows operating system are mitigating modern malware attacks suggests that newer versions are performing better than older versions.

The figure below illustrates the malware infection rates for Windows client and server operating systems in the third and fourth quarters of 2014 based on data from hundreds of millions of systems worldwide. This data is normalized, meaning the infection rate for each version of Windows is calculated by comparing an equal number of computers per version; for example, comparing 1,000 Windows Vista Service Pack 2 (SP2) based systems to 1,000 Windows 8.1 based systems in the fourth quarter of 2014 we can see 5.2 Windows Vista based systems infected with malware compared to 1.3 Windows 8.1 systems infected. In percentage terms, that’s equivalent to 0.52% of Windows Vista based systems (5.2/1,000*100 = 0.52) compared to 0.13% of Windows 8.1 based systems (1.3/1,000*100) infected with malware.

Figure: Infection rate by client and server operating system in the third and fourth quarters of 2014 (3Q14/4Q14)
2H14 CCM-OS

The newest versions of both Windows client and server operating systems had the lowest malware infection rates during the period, by a large margin.

Some of the CISOs and IT professionals I talk to use this operating system infection rate data to help make a business case for upgrading to newer, more secure software or deploying more secure service packs for their current platforms. As you can see from the latest data, newer is better across the board.

You can download this data in volume 18 of the Microsoft Security Intelligence Report at http://microsoft.com/sir.

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection

The life and times of an exploit

May 18th, 2015 No comments

Just this week we released the latest Microsoft Security Intelligence Report that focuses on the threat landscape in the second half of 2014. The “featured intelligence” included in the new volume of the report examines the increased speed at which purveyors of commercial exploit kits are trying to take advantage of newly disclosed vulnerabilities, even in cases where security updates have been developed, released and deployed to hundreds of millions of systems around the world.

New exploits are appearing in commercial exploit kits faster
This new research shows us that such attackers are simply trying to take advantage of organizations that have lengthy or long lead time security update testing and deployment processes. Organizations with relatively slow or periodic security update deployment processes should use this research to evaluate whether their current processes continue to be effective at managing related risks or whether new efficiencies are warranted given the increased speed that some modern day attackers have been demonstrating recently. The research confirms what many of the CISOs and security professional I talk to already know: swiftly testing and applying security updates as they are released remains one of the best ways organizations can protect themselves from attacks.

Microsoft researchers used CVE-2014-6332, which was addressed in Security Bulletin MS14-064, as a case study. The vulnerability was reported to Microsoft, a security update was engineered and tested, and then deployed to hundreds of millions of systems around the world starting on Tuesday November 11th, 2014.

Tools that enable automated reverse engineering of security updates have been around for many years. But from past research we have seen that it can typically take several weeks or even months before such exploits appear as part of commercial exploit kits that attackers can rent or lease. In the second half of 2014 we saw that timeframe reduced dramatically. In the case of CVE-2014-6332 it was first observed being used in commercial exploit kits just 4 or 5 days after the first attacks in the wild were observed.
CVE-2014-6332

The Good News
The good news is that by the time these attacks started the security update, MS14-064, had been deployed to hundreds of millions of systems around the world making the exploit ineffective on them. Many organizations that practice rapid security update deployment processes were deploying the update before attackers could start broad attacks using exploit kits. For organizations that had slower deployment processes, Microsoft shared signature development guidance for CVE-2014-6332 with our Active Protections Program (MAPP) partners who released signatures at the same time Microsoft released MS14-064. This helps detect and block attacks using the vulnerability on unpatched systems, thus, in many cases, giving them more time to test and deploy the security update.

Deploying security updates quickly is the most effective mitigation
Once attackers have a working exploit they will continue to try to use it for years into the future. It’s important to promptly install all relevant security updates as soon as is practical as this remains one of the best ways to help defend users and systems against newly discovered threats. It also pays security dividends to use the products from MAPP partners as they work closely with Microsoft to help customers stay ahead of attackers.

You can get full details of this new research in volume 18 of the Microsoft Security Intelligence Report.

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection

Mass vulnerabilities in Android applications spike industry vulnerability disclosures in 4th Quarter 2014

May 14th, 2015 No comments

We have included data and analysis on industrywide vulnerability disclosures in the Microsoft Security Intelligence Report (SIR) for many years. We compile and analyze this information using vulnerability disclosure data that is published in the National Vulnerability Database (NVD) – the US government’s repository of standards-based vulnerability management data at nvd.nist.gov. The NVD represents all vulnerability disclosures that have a published Common Vulnerabilities and Exposures identifier (CVE).

The vulnerability disclosure data published in the just released volume of the SIR, volume 18, suggests that there was a 56.3% increase in vulnerability disclosures between the third and fourth quarters of 2014. After many periods of relatively small changes in disclosure totals, the 4,512 vulnerabilities disclosed during the second half of 2014 is the largest number of vulnerabilities disclosed in any half-year period since the CVE system was launched in 1999.

Figure 1: Industrywide vulnerability disclosures between the first half of 2012 (1H12) and the second half of 2014 (2H14)
2H14 Vulnerabilities

This large increase in disclosures is predominantly the result of work performed by the Computer Emergency Response Team (CERT) Coordination Center (CERT/CC) in the second half of 2014 to scan Android applications in the Google Play Store for man-in-the-middle vulnerabilities using an automated tool called CERT Tapioca.[1] CERT/CC determined that thousands of Android apps fail to properly validate SSL certificates provided by HTTPS connections, which could allow an attacker on the same network as an Android device to perform a man-in-the-middle attack on the device.[2]

This project resulted in the creation of almost 1,400 individual CVEs affecting thousands of different publishers of Android apps and code libraries. Without the Android application vulnerabilities discovered by CERT/CC, vulnerability disclosures across the entire industry would have increased about 8% in the second half of 2014 – which would be more consistent with the increases observed over the past several half-year periods.

All of the Android SSL vulnerabilities discovered by CERT/CC are medium-severity (CVSS scores from 4 to 7.9) and medium-complexity vulnerabilities that affect non-operating-system applications. This increased the number of medium-severity and medium-complexity vulnerability disclosures sharply compared to past periods. For example, medium-severity vulnerability disclosures increased from 59.6% of all vulnerabilities in the first half of 2014 to 72.5% in the second half of the year.

Figure 2: left: Industrywide vulnerability disclosures in the first half of 2014, by severity; right: left: Industrywide vulnerability disclosures in the second half of 2014, by severity
2H14 Vulnerability Severity

Medium-severity vulnerabilities accounted for almost the entire increase in disclosures seen in the last six months of 2014.

Figure 3: Industrywide vulnerability disclosures by severity, between the first half of 2012 (1H12) and the second half of 2014 (2H14)
2H14 Vulnerabilities by Severity

Some vulnerabilities are easier to exploit than others. Vulnerability complexity is an important factor to consider in determining the risk that each vulnerability poses. The CVSS assigns each vulnerability a complexity ranking of Low, Medium, or High. Medium-complexity vulnerabilities accounted for the largest category of disclosures in the second half of 2014 as well as the bulk of the significant increase in total disclosures observed during the period. Medium-complexity vulnerability disclosures doubled in the period between the first and second halves of 2014, increasing from 48.0% of all disclosures in the first half of the year to 61.5% in the second half of the year. Of note, disclosures of Low-complexity vulnerabilities (those that are the easiest to exploit) also increased significantly in the last six months of 2014. Low-complexity vulnerability disclosures increased 20.3% between the first and second halves of 2014, although their share of all vulnerabilities declined from 48.0% to 36.9% because of the sharp increase in Medium-complexity vulnerability disclosures in the same period.

Figure 4: Industrywide vulnerability disclosures by access complexity, between the first half of 2012 (1H12) and the second half of 2014 (2H14)
2H14 Vulnerabilities by Complexity

Many of the CISOs and security professionals I talk to are typically primarily concerned about vulnerabilities in operating systems and web browsers. But Figure 5 illustrates that there are typically more vulnerability disclosures in applications than in operating systems and browsers combined, and the almost 1,400 individual CVEs affecting thousands of different publishers of Android apps and code libraries accentuate this trend. Disclosures of vulnerabilities in applications other than web browsers and operating system applications increased 98.3% in the second half of 2014 and accounted for 76.5% of total disclosures for the period.

Figure 5: Industrywide operating system, browser, and application vulnerabilities, between the first half of 2012 (1H12) and the second half of 2014 (2H14)
2H14 Vulnerabilities by Type

You can get more details on vulnerability disclosure trends in the latest Microsoft Security Intelligence Report, available at http://microsoft.com/sir.

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection

 

[1] Will Dormann, “Finding Android SSL Vulnerabilities with CERT Tapioca,” Cert/CC Blog, September 3, 2014, http://www.cert.org/blogs/certcc/post.cfm?EntryID=204.

[2] CERT Coordination Center, “Vulnerability Note VU#582497: Multiple Android applications fail to properly validate SSL certificates,” Vulnerability Notes Database, http://www.kb.cert.org/vuls/id/582497.

Latest Microsoft Security Intelligence Report Now Available

May 14th, 2015 No comments

Volume 18 of the Microsoft Security Intelligence Report (SIR) is now available at http://microsoft.com/sir.

SIRv18 Cover

This volume of the SIR focuses on the second half of 2014 and contains longer term trend data as well. SIR volume 18 contains data, insights and practical guidance on a range of global and regional cybersecurity threats including vulnerability disclosures, malware and unwanted software including the latest on Ransomware, malicious websites such as drive-by download sites, and exploit activity including exploits used in targeted attacks. Deep dives into the threat landscape in over 100 countries/regions are also available.

The “Featured Intelligence” section of the report is on “The life and times of an exploit.” This section explores the increased speed at which some attackers are able to reverse engineer security updates, illustrating the critical need to update systems as quickly as possible once security updates have been published by vendors.

The SIR also contains actionable guidance to help mitigate the threats reported to us from hundreds of millions of systems worldwide. This also includes guidance based on the threats that Microsoft’s IT department, MSIT, detect and mitigate in the course of protecting Microsoft’s corporate network which spans every region of the world.

Susan Hauser, Corporate Vice President, Worldwide Enterprise Partner Group highlights some of the key findings in the new SIR and guidance for enterprise customers on her blog.

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection

Latest Microsoft Security Intelligence Report Now Available

May 14th, 2015 No comments

Volume 18 of the Microsoft Security Intelligence Report (SIR) is now available at http://microsoft.com/sir.

SIRv18 Cover

This volume of the SIR focuses on the second half of 2014 and contains longer term trend data as well. SIR volume 18 contains data, insights and practical guidance on a range of global and regional cybersecurity threats including vulnerability disclosures, malware and unwanted software including the latest on Ransomware, malicious websites such as drive-by download sites, and exploit activity including exploits used in targeted attacks. Deep dives into the threat landscape in over 100 countries/regions are also available.

The “Featured Intelligence” section of the report is on “The life and times of an exploit.” This section explores the increased speed at which some attackers are able to reverse engineer security updates, illustrating the critical need to update systems as quickly as possible once security updates have been published by vendors.

The SIR also contains actionable guidance to help mitigate the threats reported to us from hundreds of millions of systems worldwide. This also includes guidance based on the threats that Microsoft’s IT department, MSIT, detect and mitigate in the course of protecting Microsoft’s corporate network which spans every region of the world.

Susan Hauser, Corporate Vice President, Worldwide Enterprise Partner Group highlights some of the key findings in the new SIR and guidance for enterprise customers on her blog.

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection