So, is the latest study put out by Microsoft correct? Well, that depends.
While at first glance it may appear that Microsoft was looking for a way to extol their awesomeness to anyone who may question it, their most recent study was backed up by independent security notification firm Secunia.
Before any of you go on to make jokes about how much Secunia was paid, we have something even more disturbing to tell you: The study kind of makes sense. (No tomato throwing, please.)
According to the latest edition of Microsoft’s Security Intelligence Report, “nearly 90 percent of vulnerabilities disclosed in the second half of 2008 affected applications.” According to the Register, Microsoft “reckons hackers have shifted their attention to applications in response to improved security of operating systems, including Windows.” But as the Register also points out, while the overall number of security vulnerabilities decreased, the number of high-risk flaws rose by over 4 percent.
So in essence, the Microsoft study is kind of right—newer versions of Microsoft software (including the oft-persecuted Vista) are indeed more secure; but the unavoidable truth is that they’re not secure enough.
Microsoft could go a lot further in terms of creating a secure baseline by default through not running everything as admin. While it’s all well and good that newer versions of Microsoft software—such as Vista—have pop-ups anytime a user needs to run something with admin control, what about non-technical users who are going to click “okay” simply because they’re looking to get their job done as quickly as possible?
A popular answer to this dilemma is to have people run as limited users; but once again, even running as a limited user wouldn’t prevent every security problem that came along. Through the use of social engineering, it would be more than possible for an attacker to install harmful components and then log back in as an admin user at a later time.
While it wouldn’t be an ultimate fix, Microsoft could help better protect users by cutting down on all of the “extras” that tend to run in Microsoft software. Like we talked about in our “Psyb0t Worming its Way into Home Routers” post the bigger the “target,” the more likely that attackers will be successful. And since the average non-technical user has no idea how large their “target” is, they are extremely vulnerable to potential attacks.
So all in all, Microsoft deserves a pat on the back and a firm shove toward better security practices. Because while it’s obvious that they’re improving, they still have a long way to go.
Have a security topic you’d like to write about? If so, we’d love to give you a chance to do that here on NovaInfosecPortal. Feel free to contact us about being a guest poster for the site. You can also help us help you by buying your SANS training through us. Click here to learn more.