Microsoft issued Volume 8 of its Microsoft Security Intelligence Report on April 26, using data collected from some 500 million computers worldwide to paint a portrait of the global IT security situation for the second half of 2009. While some of the conclusions were to be expected--more service packs on more recent operating systems translated into fewer vulnerabilities--there were noticeable differences between the vulnerability profiles of enterprise and consumer IT. Meanwhile, the total number of vulnerability disclosures in software continued to fall.
Microsoft issued on April 26 Volume 8 of its Microsoft Security Intelligence
Report, which attempts to paint a comprehensive portrait of the world's IT
security scene for the second half of 2009. Data for the report comes from
around 500 million computers worldwide, in addition to a variety of online
services such as Bing. Perhaps inevitably, the report suggests an increasing
sophistication on the part of threats, with both the enterprise and consumers
expressing different types of vulnerabilities.
Older operating systems received the brunt of attacks, according to
Microsoft, with Windows XP reporting generally higher infection rates than
either Windows 7 or Windows Vista. Of all the Microsoft-built operating
systems, the 64-bit versions of Windows 7 RTM and Windows Vista SP2 reported
the lowest numbers of computers cleaned for every 1,000 Malicious Software
Removal Tool (MSRT) executions, averaging 1.4 PCs for each, while Windows XP SP
1 experienced the most, with 21.7 PCs cleaned per 1,000 executions.
As a generalized trend, succeeding service packs for operating systems
resulted in progressively lower rates of infection. According to the report,
"Microsoft security products cleaned rogue security software-related malware on
7.8 million computers in [the second half of] 2009, up from 5.3 million
computers in [the first half of 2009]-an increase of 46.5 percent."
Infection data differed somewhat between enterprise and consumer PCs,
however, reflecting the differing needs and technologies of those respective
"Domains are used almost exclusively in enterprise environments, and
computers that do not belong to a domain are more likely to be used at home or
in other non-enterprise contexts," the report reads. "Comparing the threats
that are encountered by domain computers and non-domain computers can provide
insights into the different ways attackers target enterprise and home users and
which threats are more likely to succeed in each environment."
In that spirit, the report suggests that the largest threat facing domain
computers is worms, which account for around 32 percent of the top 10 threats
detected. By contrast, worms constituted only 15 percent of detected threats
for non-domain computers.
Those results were revered for "Misc. Trojans," detected on 18 percent of
surveyed domain computers but around 25 percent of non-domain ones. "Misc.
Potentially Unwanted Software" was detected on 16 percent of domain computers,
versus 13 percent for non-domain, while "Trojan Downloaders & Droppers" hit
13 percent of domain computers and 15 percent of non-domain. "Password Stealers
& Monitoring Tools" were a relative matchup, with 7 percent of domain
computers and 9 percent of non-domain computers reporting encounters.
"Adware" represented a much larger threat to non-domain computers, being
detected 12 percent of the time, while domain computers only encountered this
particular threat 3 percent of the time. For "Backdoors," "Viruses," "Exploits"
and "Spyware," rates of encounter for both domain and non-domain computers
remained in the low single digits.
"Worms typically spread most
effectively via unsecured file shares and removable storage volumes," the
report suggests, "both of which are often plentiful in enterprise environments
and less common in homes." Of those worms: "Win32/Conficker, which uses several
methods of propagation that work more effectively within a typical enterprise
network environment than over the public Internet, leads the list by a wide margin."
The report also broke down other elements of the Web's seedy underbelly,
including spam; the top five locations that sent the most spam e-mails in the
second half of 2009 included the United States
(27 percent), Korea
(6.9 percent), China
(6.1 percent), Brazil
(5.8 percent) and Russia
(2.9 percent). On a more positive note, the report also noted that the amount
of industrywide vulnerability disclosures for software has been steadily
declining since the first half of 2006, including high- and medium-severity
alerts. Vulnerability disclosures overall were down 8.4 percent from the first
half of 2009 alone.
"The continued predominance of High severity and Medium severity
vulnerability disclosures is likely caused at least in part to the tendency of
both attackers and legitimate security researchers to prioritize searching for
the most severe vulnerabilities," the report suggests. "Application
vulnerabilities continued to account for most vulnerabilities in [the second
half of] 2009, although the total number of application vulnerabilities was
down significantly from 2H08 and 1H09."
The full report, which details other vulnerabilities found worldwide, can be downloaded from