فا

‫ Microsoft Security Intelligence Report from 1st Quarter of 2011

IRCRE201111081
Date: 2011-11-12
Volume 11 of the Microsoft Security Intelligence Report (SIRv11) provides in-depth perspectives on software vulnerabilities, software vulnerability exploits, malicious and potentially unwanted software, and security breaches. Microsoft developed these perspectives based on detailed trend analysis over the past several years, with a focus on the first and second quarters of 2011.
Vulnerabilities
Vulnerability Severity

The following figure shows Industry-wide vulnerability disclosures by severity, 2H08-1H11.

Medium and High severity vulnerabilities disclosed in 1H11 were down 6.8 percent and 4.4 percent from 2H10, respectively. Even as fewer vulnerabilities are being disclosed overall, the number of Low severity vulnerabilities being disclosed has increased slightly. Low severity vulnerabilities accounted for 7.2 percent of all vulnerabilities disclosed in 1H11.
Vulnerability Complexity
Some vulnerabilities are easier to exploit than others, and vulnerability complexity is an important factor to consider in determining the magnitude of the threat that a vulnerability poses. A High severity vulnerability that can only be exploited under very specific and rare circumstances might require less immediate attention than a lower severity vulnerability that can be exploited more easily.

The following figure shows complexity trends for vulnerabilities disclosed since July 2006. Note that Low complexity indicates greater danger, just as High severity indicates greater danger in past figure.

As with vulnerability severity, the trend here is a positive one, with Low complexity vulnerabilities the easiest ones to exploit—down 41.2 percent from the prior 12-month period.
High complexity vulnerability disclosures, meanwhile, have increased slightly. They accounted for 4.9 percent of all vulnerabilities disclosed between July 2010 and June 2011, up from 2.8 percent in the prior 12-month period.
Operating System, Browser, and Application Vulnerabilities

The following figure shows industry-wide vulnerabilities for operating systems, browsers, and applications since July 2006.

Most of the industry-wide decline in vulnerability disclosures over the past several years has been caused by a decrease in application vulnerabilities, which were down 8.8 percent from 1H11. Despite this decline, application vulnerabilities still accounted for 71.5 percent of all vulnerabilities disclosed in 1H11. Operating system and browser vulnerability disclosures have been mostly stable for several years, accounting for 12.7 percent and 15.7 percent of all vulnerabilities disclosed in 1H11, respectively.
Vulnerability Disclosures

The following figure charts vulnerability disclosures for Microsoft and non-Microsoft products since 2H08.

Vulnerabilities in Microsoft products accounted for 6.9 percent of all vulnerabilities disclosed in 1H11, down from 8.2 percent in 2H10.
Vulnerability disclosures for Microsoft products have generally remained stable over the past several periods, though the percentage of all disclosures industry-wide that affect Microsoft products has increased slightly, primarily because of the overall decline in vulnerability disclosures across the industry.
Exploits

The following figure shows the prevalence of different types of exploits for each quarter between 3Q10 and 2Q11.

The most commonly observed type of exploits in 1H11 were those targeting vulnerabilities in the Oracle (formerly Sun) Java Runtime Environment (JRE), Java Virtual Machine (JVM), and Java SE in the Java Development Kit (JDK). Java exploits were responsible for between one-third and one-half of all exploits observed in each of the four most recent quarters.
Detections of operating system exploits increased dramatically in 2Q11 because of increased exploitation of vulnerability CVE-2010-2568. Detections of exploits targeting Adobe Flash, although uncommon in comparison to some other types of exploits, increased in 2Q11 to more than 40 times the volume seen in 1Q11 because of exploitation of a pair of newly-discovered vulnerabilities.
Malware and Potentially Unwanted Software
The information in this section was compiled from telemetry data that was generated from more than 600 million computers worldwide and some of the busiest Internet online services.
Global Infection Rates

The following table shows the locations with the most computers reporting detections and removals by Microsoft desktop antimalware products in 1H11.

Detections in Russia increased 22.2 percent from 1Q11 to 2Q11, mostly because of increased detections of Win32/Pameseg, a potentially unwanted software program with a Russian language user interface.
Detections in France and Italy both increased significantly in 2Q11 because of increased detections of a number of Adware families, including Win32/ClickPotato, Win32/Hotbar, and Win32/OfferBox.
Operating System Infection Rates

The following figure shows the infection rate for each Windows operating system/service pack in 2Q11.

This data is normalized: the infection rate for each version of Windows is calculated by comparing an equal number of computers per version (for example, 1,000 Windows XP SP3 computers to 1,000 Windows 7 RTM computers).
As in previous periods, infection rates for more recently released operating systems and service packs are consistently lower than earlier ones, for both client and server platforms. Windows 7 and Windows Server 2008 R2, the most recently released Windows client and server versions, respectively, have the lowest infection rates on the chart.
Infection rates for the 64-bit versions of Windows Vista® and Windows 7 are lower than for the corresponding 32-bit versions of those operating systems.
Threat Categories
The Microsoft Malware Protection Center (MMPC) classifies individual threats into types based on a number of factors, including how the threat spreads and what it is designed to do. To simplify the presentation of this information and make it easier to understand, these types are grouped into 10 categories based on similarities in function and purpose.

The following figure shows detections by threat category each quarter in 3Q10-2Q11, by percentage of all computers reporting detections.

Totals for each time period may exceed 100 percent because some computers report more than one category of threat in each time period.
Adware rose to become the most commonly detected category in 1Q11 and 2Q11, primarily because of a pair of new families, Win32/OpenCandy and Win32/ShopperReports, and large increases in detections of a number of older families.
Worms and Trojan Downloaders & Droppers were two of the more significant categories in 2010, but declined to 10.9 percent and 9.3 percent of detections by 2Q11, respectively.
Rogue Security Software
Rogue security software, is software that appears to be beneficial from a security perspective but provides limited or no security, generates erroneous or misleading alerts, or attempts to lure users into participating in fraudulent transactions.

The following figure shows detection trends for the most common rogue security software families detected in 1H11.

Email Threats
Spam Messages Blocked
The information in this section of the Microsoft Security Intelligence Report is compiled from telemetry data provided by Microsoft Forefront® Online Protection for Exchange (FOPE), which provides spam, phishing, and malware filtering services for thousands of Microsoft enterprise customers that process tens of billions of messages each month.

The following figure shows messages blocked by FOPE each month July 2010 to June 2011.

The volume of spam blocked by FOPE decreased dramatically over the past 12 months, from a high of 89.2 billion messages in July 2010 to a low of 21.9 billion in May 2011, primarily because of takedowns of two major botnets: Cutwail, which was shut down in August 2010, and Rustock, which was shut down in March 2011 following a period of dormancy that began in January.
Between 85 and 95 percent of incoming messages were blocked at the network edge each month.
The decline in the percentage of messages blocked at the network edge beginning in January was caused by the overall decline in the volume of spam that occurred following the inactivation of the Rustock botnet.
Spam Types

The FOPE content filters recognize several different common types of spam messages. The following figure shows the relative prevalence of these spam types in 1H11.

Advertisements for nonsexual pharmaceutical products (28.0 percent of the total) and nonpharmaceutical product advertisements (17.2 percent) accounted for the majority of the spam messages blocked by FOPE content filters in 1H11.
In an effort to evade content filters, spammers sometimes send messages that consist only of one or more images, with no text in the body of the message. Image-only spam messages declined to 3.1 percent of the total in 1H11, down from 8.7 percent in 2010.

نظرات

بدون نظر
شما برای نظر دادن باید وارد شوید

مشخصات خبر

 
تاریخ ایجاد: 23 آذر 1390

برچسب‌ها

امتیاز

امتیاز شما
تعداد امتیازها: 0