All of this leads to another major conclusion of the report-that vulnerabilities themselves are a declining factor in security. It's not just Microsoft, it's an industrywide phenomenon. Malware and social engineering, often in combination, are the way most Windows users get compromised, and often they are convinced through social engineering to bypass the security features in Windows that protect them. The malware industry fights this partly with volume; Symantec now estimates that more malicious software is being written every day than legitimate software.
Even social engineering can be controlled in large part with good, tight management practices. In an enterprise, users should not in any circumstances have sufficient rights on their own systems to install software, for example. My sense is that businesses are moving in this direction, slowly. Consumers are a problem though. I run Vista as a standard user, but whenever I find nontechnical users running it, they are running as Administrator and I doubt they take UAC warnings seriously.
No doubt many Vista users are infected with malware because they just want to see the dancing pigs and ignore every warning Windows gives them. This is a tough problem to solve, but it has nothing to do with vulnerabilities, and every other operating system is as vulnerable to malware, if someone writes it, and to social engineering. Of course, almost all malware is written only for Windows.
I've written a lot about whitelisting lately as a logical and effective solution to malware, but one that has some serious obstacles to it, especially for consumers and small businesses. But imagine if you could do it: If vulnerabilities are becoming manageable and whitelists can be effective, we really could turn the tables on the bad guys. It almost seems in sight.
Security CenterEditor Larry Seltzer has worked in and written about the computer industry since 1983.
For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.