Operating system flaws continue their steady decline as attackers target application vulnerabilities, according to Microsoft's semiannual Security Intelligence Report.
"There is a marketplace for the higher severity vulnerabilities and so that's where researchers are finding their focus."
Jeff Williams, Principal Architect, Microsoft Malware Protection Center
Microsoft said nearly 90% of vulnerabilities discovered by researchers were in applications. OS flaws reached a high of 16% of all vulnerabilities discovered in 2003 and today they make up about 7% of flaw discoveries.
"Hackers attack low hanging fruit because it's easier for them," said Eric Domage, manager of security research and consulting at research firm IDC. "They think that if they spend their time on Vista, it is wasted time."
Despite a drop of interest in the OS, malicious software removed from Windows computers grew by 43% during the first half of 2008. Threats from keyloggers and other malicious programs continue to rise, as users get tricked into clicking on malicious email attachments. Web-based attacks are also contributing to the spread of malware, Microsoft said.
The Microsoft Security Intelligence Report, released today, discloses trends researchers observed from January 2008 to June 2008. The report is in its fifth iteration and pulls together data from hundreds of millions of Windows users as well as data from other security firms.
Microsoft said the total number of unique vulnerability disclosures across the industry continued to decrease in the first half of 2008, with new vulnerability disclosures declining by 4% from the second half of 2007 and by 19% from the first half of 2007.
"The decrease in vulnerabilities is definitely due to the security development lifecycle, and just a general focus on security across the industry," said Jeff Williams, principal architect for the Microsoft Malware Protection Center.
Researchers are finding fewer vulnerabilities, but the flaws they discover are more severe, according to Microsoft. The vulnerabilities rated as high severity according to the Common Vulnerability Scoring System has increased 13% over the second half of 2007.
"There is a marketplace for the higher severity vulnerabilities and so that's where researchers are finding their focus," Williams said. "The ones who are working for the criminals are working to monetize it through criminal channels and the ones who are working through other monetization channels are looking to get the higher payoff."
Williams also heralded Microsoft's Trustworthy Computing Security Development Lifecycle as the reason for the decline in vulnerabilities. The process adds an increased security focus on each phase of the software maker's development process. Microsoft designed Vista using the SDL process, and while some analysts point to user frustration over the security controls resulting in slower adoption of Vista, it has slowed targeted attacks on the OS.
"Particularly in the case of Vista, we've seen significant reduction in the attack surface and as a result there are fewer vulnerabilities there," Williams said.
Browser-based attacks on Windows Vista-based machines accounted for just 6% percent of the total Microsoft vulnerabilities, while third-party vulnerabilities made up 94%.
"Attackers have limited interest in going into Vista," IDC's Domage said. "There's less market penetration of Vista, and a lack of interest by hackers to go into the OS level since they get low results because it's so robust from a security perspective."