According to Microsoft’s Security Intelligence Report (SIR), malware writers aren’t targeting Vista directly; they’re using holes in third-party apps to attack people’s systems instead. Microsoft’s data agrees with that of independent anti-malware company Kapersky Lab: while direct attacks on XP account for almost half of its vulnerabilities, nearly all attacks on Vista are done by way of exploiting third-party software.
ZDNet’s article on the report includes these graphs comparing the top 10 browser-based vulnerabilities on Windows XP and Windows Vista:
One question that comes to mind: is it because Vista is more secure, or because attacking XP is a better approach because it represents a larger base of targets? I certainly don’t know the answer.
Another question that naturally arises from this is: How do you solve the problem of vulnerabilities through third-party apps? I’m a firm believer in Bruce Schneier’s maxim, “security is a process, not a product,” and think that the best approach is a multi-pronged one. The prong for which I’m responsible is educating developers about application security, and as I find out more about the Windows platform and security, I’ll write about it here on Global Nerdy as well as in some of Microsoft’s developer-focused sites.
Recommended Reading
- ZDNet: Microsoft: Third party apps killing our security.
- Microsoft Malware Protection Center: The Latest Security Inteliigence Report.
- New York Times: On Security, Microsoft Reports Progress and Alarm
2 replies on “Windows Exploits Come from Third-Party Apps”
One would think that if Microsoft was serious about educating web developers on security it would have a dedicated site containing a dictionary of all the common security terms, full explanations about them, how you avoid them, updates on new vulnerabilities such as clickjacking, etc.
Chess: One might, if one were a developer evangelist for said company, inquire to see if such a site existed, and failing that, get the gears in motion to put such a site into existence. If one were a developer evangelist for said company, that is.