Microsoft Subnet An independent Microsoft community View more

Microsoft's Security Information Report shows lax practices allow malware, like Conficker, to thrive

Before you complain about all the malware out there, make sure you aren't providing an assist in the process.

In a few weeks, hundreds of hackers will descend on Las Vegas for the Defcon/Black Hat conferences and do their absolute best to never set foot outside of the hotels in the ungodly heat. One of the major sponsors of the show is the company with the most-attacked product lineup, Microsoft.

People are all too willing to criticize the company for being a malware target – which is in and of itself ridiculous, as it's the most used platform out there. Like Dillinger said, that's where the money is – they are just as slow to credit the company for its efforts to secure its platforms and its users.

RELATEDEnd of Windows XP support era signals beginning of security nightmare

Searls: 'We do not need Do Not Track legislation'

Its efforts to lead raids have taken down huge botnets, including Rustock, Zeus, and Conficker. Microsoft has used its global reach and resources to take down a lot of bad people.

But security is a two-way street. It requires an effort on the part of end users, too, and Conficker is making a comeback thanks to bad practices by users who are allowing a detectable worm to get onto their systems.

Twice a year, the company releases its massive Security Intelligence Report (SIR), about 130-150 pages of anything but light reading, and the most recent issue highlights how user activity is allowing Conficker to come back from the dead.

Volume 12 came out in late April, and you'd be forgiven for not rushing out to read it; I didn’t. I figured they'd time it closer to Defcon and missed it. Volume 12 covers the time from July to December 2011.

In the fourth quarter of 2011 alone, Conficker was detected on 1.7 million systems worldwide, Microsoft wrote, and that was up from 1.6 million in Q3 2011. Now that's inexcusable. There is a security bulletin available for it. Just run Windows Update. Any antivirus program worth its salt will find Conficker. Microsoft has given out best practices to beat it. Just use strong passwords.

Why is Conficker still so prevalent? Microsoft cites research that shows 92 percent of Conficker infections were a result of weak or stolen passwords, and 8 percent of infections exploited vulnerabilities for which a security update exists.

"Conficker is one of the biggest security problems we face, yet it is well within our power to defend against," Tim Rains, director of Microsoft Trustworthy Computing, said on a conference call discussing the report. "It is critically important that organizations focus on the security fundamentals to help protect against the most common threats."

In general, Microsoft found the state of security is improving. Vulnerability disclosures across the industry in the second half of 2011 were down 10% from the first half of the year and down 24.3% from the first half of 2009. This trend is likely because of "better development practices and quality control throughout the industry, which results in more secure software and fewer vulnerabilities from major vendors," the SIR authors wrote.

Also, the number of low-severity, medium- and high-severity vulnerabilities all dropped across the board, with high-severity vulnerabilities down 31% from the first half of 2011.

Operating system vulnerability disclosures decreased 34.7% from the first half of 2011 to the second half and, for the first time since 2003, are now ranked below browser vulnerability disclosures. Applications, however, are not as secure. App vulnerabilities rose 17.8% from the first half of 2011 to the second half and accounted for 71.2% of all vulnerability disclosures in the second half of 2011.

There was a significant rise in HTML/JavaScript, Java and document-based malware in the second half of 2011, in particular due to the emergence of JS/Blacole, a family of exploits used by the "Blackhole" exploit kit to deliver malicious software through infected Web pages. It's quite a collection, too, with exploits for vulnerabilities in versions of Adobe Flash Player, Adobe Reader, Microsoft Data Access Components (MDAC), the Oracle Java Runtime Environment (JRE), among others.

The SIR report is up now until v13 later this year, and Microsoft will be found at the Rio hotel, site of Defcon, later this month.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10