The reports of Microsoft's "out of band" patch last week of a critical vulnerability in Windows all took note of how unusual it was. Out-of-band updates are unusual-the last one was MS07-017 on April 3, 2007-because Microsoft has gotten on top of the vulnerability problem better than anyone. In fact, I'd say the game is over. They win.
Of course, this doesn't mean that Windows users are all safe now and you can stop worrying about vulnerabilities. What it does mean is that if you use current versions of their products, are diligent about applying updates soon after they come out, have reasonably good and updated security software, and maybe do some reasonable education of users over what they can and can't do with computers, your chances of getting exploited by a vulnerability in a Microsoft product are pretty small. They have been getting smaller over time.
Part of the reason for this is explained in Microsoft's Jeff Jones's most recent report on desktop vulnerabilities. It's clear that things are way better than they were a few years ago. Jones' data shows that Microsoft has fewer and less severe vulnerabilities in its products, and that it patches them faster. And the most recent versions of Microsoft's products, the ones developed with the SDL (Security Development Lifecycle), are the least vulnerable of all, especially Office.
For years I've seen this trend and figured that it should translate into a pattern in the exploitation of vulnerabilities: The older and less-urgently patched a platform is, the more likely it is to be exploited. The newer and more urgently patched a system is, the less it would be exploited. Sure enough, this pattern is borne out in Microsoft's latest SIR (Security Intelligence Report), covering the first half of 2008. Microsoft's data comes from its own telemetry via Windows Update, the Malicious Software Removal Tool, ForeFront products and so on, so it's a huge sample, especially via the MSRT that runs on all systems that run Windows Update.
Consider Figure 80 in the report on Page 133, which shows the vulnerabilities behind the top browser-based exploits they collected. Browser exploits are probably the lion's share of vulnerability exploits today. Essentially all of the exploits of Windows vulnerabilities are targeting older, unpatched platforms.
The top one, MS06-014 (Vulnerability in the Microsoft Data Access Components [MDAC] Function Could Allow Code Execution), was patched 2 1/2 years ago. Only one Microsoft vulnerability in the list affects Windows Vista, at 1.1 percent of collected samples: MS07-017 (Vulnerabilities in GDI Could Allow Remote Code Execution). The update covered several vulnerabilities, and the one that mattered was also known as CVE-2007-0038, the ANI bug.
This was a very big deal when it came out, shortly after Vista was released, but one of the facts that quickly became apparent was that if Vista were exploited it would have to be through Internet Explorer 7 in Protected Mode (unless the user turned that off), and therefore the attack could not be persistent. As a practical matter, according to Microsoft, none of the existing attacks affects IE7 in Protected Mode.
Look down the exploit list in the SIR, and you'll see that the large majority are for vulnerabilities in third-party products, such as RealPlayer, QuickTime, BaoFeng Storm (some Chinese thing), Acrobat and so on. That's where the real action is in vulnerability exploits; users aren't as proactive about patching third-party products, and they aren't as in-your-face about patching as Windows is. (This is why I've suggested that Microsoft offer to host patching services for third parties on Windows Update, but that's not going to happen.)
The whole current MS08-067 Server vulnerability episode reinforces all of this for me. An update this past Friday night from the Microsoft Security Response Center repeats what I have heard, that people are patching furiously. It also notes that there is exploit code and a functioning attack. A hacker blog on 0x000000.com (love that domain name) says they have found the exploit victim list for the worm and provide the complete list, including the User-Agent strings for all of them. A Securiteam blog says, based on the IP addresses in the list, that the users are "... mainly in Australia, China, Philippines, India, Japan, Korea, Malta, Malaysia, Taiwan, and Vietnam."
I searched the list of over 4,500 User-Agents and found seven hits for Vista systems (those with "Windows NT 6.0" in the User Agent string). Four of those are clearly test probes, and the systems were not actually infected. The other three are for a single IP address and apparently the same host, on a dial-up account with a U.S. West Cast ISP. Sounds like a test system to me. In other words, no actual Vista users were harmed in the exploitation of this vulnerability. This isn't surprising, since the vulnerability is much harder to exploit under Vista than XP, but it's also the point: Vista users are safer because they use Vista.