Microsoft released their third edition of the Security Intelligence Report last month which summarises the findings of their Malicious Software Removal tool, Windows Defender and OneCare service. This edition reports on the software vulnerabilities, exploits and malicious software discovered between January and June 2007. During this period the report claims that over 3,400 new vulnerabilities were disclosed.
During this period the number of vulnerabilities relating to the operating system actually reduced. It is unclear if this is because the OS is becoming more secure, or that researchers are just focusing more on third party applications. It also reports that although the number of vulnerabilities disclosed has increased, the quantity of publicly available exploits is reducing.
One of the most interesting results are the normalised statistics for the type of OS that were found to have unwanted or malicious software. It’s no surprise that only 2.8% of these were based on Vista and that 32.9% were Windows XP without a service pack. These results can be explained as Vista is more secure and that users with a more up to date OS are also more likely to have up to date AV and anti-spyware software.
However, what is surprising is that only 3.4% of Server 2k3 SP1 systems were infected, but more than twice the number at 7.3% of 2K3 SP2 systems were. These statistics are normalised to remove any affect on the number of OS systems, so why would more Windows Server 2003 SP2 systems be infected? The report makes no suggestion.
Check out the Security Intelligence Report site for more details.
