According to Microsoft’s Security Intelligence Report (SIR), malware writers aren’t targeting Vista directly; they’re using holes in third-party apps to attack people’s systems instead. Microsoft’s data agrees with that of independent anti-malware company Kapersky Lab: while direct attacks on XP account for almost half of its vulnerabilities, nearly all attacks on Vista are done by way of exploiting third-party software.
ZDNet’s article on the report includes these graphs comparing the top 10 browser-based vulnerabilities on Windows XP and Windows Vista:
One question that comes to mind: is it because Vista is more secure, or because attacking XP is a better approach because it represents a larger base of targets? I certainly don’t know the answer.
Another question that naturally arises from this is: How do you solve the problem of vulnerabilities through third-party apps? I’m a firm believer in Bruce Schneier’s maxim, “security is a process, not a product,” and think that the best approach is a multi-pronged one. The prong for which I’m responsible is educating developers about application security, and as I find out more about the Windows platform and security, I’ll write about it here on Global Nerdy as well as in some of Microsoft’s developer-focused sites.