Windows Exploits Come from Third-Party Apps

According to Microsoft’s Security Intelligence Report (SIR), malware writers aren’t targeting Vista directly; they’re using holes in third-party apps to attack people’s systems instead. Microsoft’s data agrees with that of independent anti-malware company Kapersky Lab: while direct attacks on XP account for almost half of its vulnerabilities, nearly all attacks on Vista are done by way of exploiting third-party software.

ZDNet’s article on the report includes these graphs comparing the top 10 browser-based vulnerabilities on Windows XP and Windows Vista:

Graph: Top 10 browser-based vulnerabilities in Windows XP -- half are Microsoft's fault.

Graph: Top ten browser-based vulnerabilities in Windows Vista -- all are third-party apps' fault.

One question that comes to mind: is it because Vista is more secure, or because attacking XP is a better approach because it represents a larger base of targets? I certainly don’t know the answer.

Another question that naturally arises from this is: How do you solve the problem of vulnerabilities through third-party apps? I’m a firm believer in Bruce Schneier’s maxim, “security is a process, not a product,” and think that the best approach is a multi-pronged one. The prong for which I’m responsible is educating developers about application security, and as I find out more about the Windows platform and security, I’ll write about it here on Global Nerdy as well as in some of Microsoft’s developer-focused sites.

Recommended Reading

2 replies on “Windows Exploits Come from Third-Party Apps”

One would think that if Microsoft was serious about educating web developers on security it would have a dedicated site containing a dictionary of all the common security terms, full explanations about them, how you avoid them, updates on new vulnerabilities such as clickjacking, etc.

Chess: One might, if one were a developer evangelist for said company, inquire to see if such a site existed, and failing that, get the gears in motion to put such a site into existence. If one were a developer evangelist for said company, that is.

Comments are closed.