Microsoft has documented a decline in the total number of application vulnerabilities in 2010 and tracked the skyrocketing use of exploits targeting two Java vulnerabilities.
Vulnerability disclosures for Microsoft products increased slightly in 2010 but have generally remained stable over the past several periods.
The total number of application vulnerabilities in 2010 declined 22.2% from 2009. In addition, industry vulnerability disclosure trends, the number of documented security issues, continued its overall trend of moderate declines since 2006. Vulnerability disclosures across the industry were down 16.5% in 2010 from 2009. The trend is being attributed by Microsoft to “better development practices and quality control throughout the industry, which result in more secure software and fewer vulnerabilities."
The Microsoft Security Intelligence Report, volume 10, draws from data pulled from its security software user base and paints a picture of the current threat landscape. Microsoft said it pulled the anonymous data from more than 600 million systems, Internet service providers and several Microsoft Security Centers.
The severity of application flaws is also in decline. Microsoft said medium and high severity disclosures fell by 17.5% and 20.2% from 2009, respectively. The software giant bases its figures on vulnerability severity using ratings from the Common Vulnerability Scoring System (CVSS). The CVSS assigns a score from 0 to 10 to vulnerabilities based on severity, with higher scores representing greater severity.
Experts said the data provided by Microsoft is positive and shows that attacks are becoming more difficult to carry out. The number of complex vulnerabilities is increasing. High complexity vulnerability disclosures increased 43.3%, from 120 in 2009 to 172 in 2010. Meanwhile, low and medium complexity vulnerability disclosures declined 28.3% and 5.0% from 2009, respectively.
“There’s a difference between disclosed vulnerabilities and actually seeing attacks using those vulnerabilities,” said Harry Sverdlove, chief technology officer of application whitelisting vendor Bit9. “While the number may have declined, it’s a positive for everybody, but it also shows that it only takes one or two really bad vulnerabilities for a spike in the number of actual attacks to occur.”
Vulnerabilities in Microsoft products accounted for 7.2% of all vulnerabilities disclosed in 2010, an increase of 4.5% from 2009. Microsoft said the increase is due to an overall decline in vulnerability disclosures across the industry during that time.
“Vulnerability disclosures for Microsoft products increased slightly in 2010, but have generally remained stable over the past several periods,” Microsoft said in its report.
Microsoft said the threat landscape was dominated by exploits targeting Java vulnerabilities in 2010. The number of exploits targeting Java increased in the second quarter of 2010 and surpassed every other exploitation category the Microsoft Malware Protection Center tracks, including generic HTML/scripting exploits, operating system exploits and document exploits.
“Malware written in Java has existed for many years, but attackers had not focused significant attention on exploiting Java vulnerabilities until somewhat recently,” Microsoft said in its report.
“The message here is it’s very important to make sure all the software you’re running on your system, from all of the vendors, not just Microsoft, are kept up to date,” Tim Rains, group product manager with Microsoft’s Trustworthy Computing Group said in a video interview provided by Microsoft.
Meanwhile, the number of Adobe Acrobat and Adobe Reader exploits dropped by more than half after the first quarter and remained at a reduced level throughout the remainder of the year, Microsoft said.