The number of flaws disclosed to the public jumped nearly 5 percent during the first six months of 2007, marking the fourth year of increased reports, while the software bugs themselves were increasingly ranked as severe, according to a report released by Microsoft (updated) this week and data from the National Vulnerability Database.
While Microsoft's semi-annual report -- titled the Microsoft Security Intelligence Report -- stated that the number of vulnerabilities had decreased between the second half of 2006 and the first half of 2007, the latest figures from the National Vulnerability Database show a slight increase of nearly 5 percent to 3,600 flaws. The maintainers of the NVD have previously said that the numbers change as overlooked flaws are added.
Microsoft's report also noted that viruses have dramatically dropped in the past 18 months, from making up approximately half of all malicious software detected by the company's Windows Live OneCare safety scanner to accounting for only about 12 percent of infections detected. Surreptitious software aimed at taking over a victim's computer -- known as a backdoor Trojan horse -- has taken up the slack, making up nearly half of all infections detected by Microsoft's scanner in first six months of 2007, up from about 8 percent in the first half of 2006.
The report also noted that vulnerabilities are easier to exploit. During 2006, the average difficulty of exploiting a vulnerability peaked, with approximately between 14 percent to 18 percent of flaws requiring a complex process to exploit. In the first half of 2007, that portion dropped to less than 4 percent, according to data culled from the National Vulnerability Database.
The software giant also noted that Microsoft Vista appears to have significantly raised the bar for online attackers. The company's Malicious Software Removal Tool found and cleaned 60 percent less malicious software on Windows Vista computers than on Windows XP Service Pack 2 systems.
Microsoft could not immediately explain the inconsistency in data between the report and the NVD's current statistics.
UPDATE: In a call conducted after this report, Microsoft's Security Strategy Director Jeff Jones clarified that the Microsoft report culled duplicate vulnerabilities, as well as flaws assigned to the wrong year, from the National Vulnerability Database tallies.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos