Microsoft's Security Report Finds Enterprises Vulnerable to Worms

Microsoft issued Volume 8 of its Microsoft Security Intelligence Report on April 26, using data collected from some 500 million computers worldwide to paint a portrait of the global IT security situation for the second half of 2009. While some of the conclusions were to be expected--more service packs on more recent operating systems translated into fewer vulnerabilities--there were noticeable differences between the vulnerability profiles of enterprise and consumer IT. Meanwhile, the total number of vulnerability disclosures in software continued to fall.

Microsoft issued on April 26 Volume 8 of its Microsoft Security Intelligence Report, which attempts to paint a comprehensive portrait of the world's IT security scene for the second half of 2009. Data for the report comes from around 500 million computers worldwide, in addition to a variety of online services such as Bing. Perhaps inevitably, the report suggests an increasing sophistication on the part of threats, with both the enterprise and consumers expressing different types of vulnerabilities.

Older operating systems received the brunt of attacks, according to Microsoft, with Windows XP reporting generally higher infection rates than either Windows 7 or Windows Vista. Of all the Microsoft-built operating systems, the 64-bit versions of Windows 7 RTM and Windows Vista SP2 reported the lowest numbers of computers cleaned for every 1,000 Malicious Software Removal Tool (MSRT) executions, averaging 1.4 PCs for each, while Windows XP SP 1 experienced the most, with 21.7 PCs cleaned per 1,000 executions.

As a generalized trend, succeeding service packs for operating systems resulted in progressively lower rates of infection. According to the report, "Microsoft security products cleaned rogue security software-related malware on 7.8 million computers in [the second half of] 2009, up from 5.3 million computers in [the first half of 2009]-an increase of 46.5 percent."

Infection data differed somewhat between enterprise and consumer PCs, however, reflecting the differing needs and technologies of those respective segments.

"Domains are used almost exclusively in enterprise environments, and computers that do not belong to a domain are more likely to be used at home or in other non-enterprise contexts," the report reads. "Comparing the threats that are encountered by domain computers and non-domain computers can provide insights into the different ways attackers target enterprise and home users and which threats are more likely to succeed in each environment."

In that spirit, the report suggests that the largest threat facing domain computers is worms, which account for around 32 percent of the top 10 threats detected. By contrast, worms constituted only 15 percent of detected threats for non-domain computers.

Those results were revered for "Misc. Trojans," detected on 18 percent of surveyed domain computers but around 25 percent of non-domain ones. "Misc. Potentially Unwanted Software" was detected on 16 percent of domain computers, versus 13 percent for non-domain, while "Trojan Downloaders & Droppers" hit 13 percent of domain computers and 15 percent of non-domain. "Password Stealers & Monitoring Tools" were a relative matchup, with 7 percent of domain computers and 9 percent of non-domain computers reporting encounters.

"Adware" represented a much larger threat to non-domain computers, being detected 12 percent of the time, while domain computers only encountered this particular threat 3 percent of the time. For "Backdoors," "Viruses," "Exploits" and "Spyware," rates of encounter for both domain and non-domain computers remained in the low single digits.

"Worms typically spread most effectively via unsecured file shares and removable storage volumes," the report suggests, "both of which are often plentiful in enterprise environments and less common in homes." Of those worms: "Win32/Conficker, which uses several methods of propagation that work more effectively within a typical enterprise network environment than over the public Internet, leads the list by a wide margin."

The report also broke down other elements of the Web's seedy underbelly, including spam; the top five locations that sent the most spam e-mails in the second half of 2009 included the United States (27 percent), Korea (6.9 percent), China (6.1 percent), Brazil (5.8 percent) and Russia (2.9 percent). On a more positive note, the report also noted that the amount of industrywide vulnerability disclosures for software has been steadily declining since the first half of 2006, including high- and medium-severity alerts. Vulnerability disclosures overall were down 8.4 percent from the first half of 2009 alone.

"The continued predominance of High severity and Medium severity vulnerability disclosures is likely caused at least in part to the tendency of both attackers and legitimate security researchers to prioritize searching for the most severe vulnerabilities," the report suggests. "Application vulnerabilities continued to account for most vulnerabilities in [the second half of] 2009, although the total number of application vulnerabilities was down significantly from 2H08 and 1H09."

The full report, which details other vulnerabilities found worldwide, can be downloaded from this site.