Attackers target applications, not OS, report shows

13 May 2011

Software applications rather than operating systems or web browsers were the favoured target of cyber attackers last year, although the total number of application vulnerabilities was significantly down compared to 2009, a new report from Microsoft has shown.

Microsoft’s latest Security Intelligence Report found that overall, the industry’s disclosure of vulnerabilities – holes in software that bad guys can exploit – has been declining since 2006. Microsoft attributed this to better development practices and quality control on the part of developers, which it said results in more secure software.

Attacks exploiting weaknesses in Java rose sharply during the third quarter of 2010, beating every other kind of exploitation tracked by Microsoft’s Malware Protection Centre. Exploits using HTML and JavaScript increased steadily throughout the year and continue to represent a large portion of exploits, the report said.

In the third quarter, the number of Java attacks increased to fourteen times the number recorded in the previous quarter, following the discovery of two vulnerabilities in the Java Virtual Machine. These flaws alone accounted for 85pc of the Java exploits detected in the second half of 2010. By the end of the year Java exploits far outnumbered all other types of software vulnerabilities such as HTML/Script, operating systems, document readers and even Adobe Flash.

Drop-offs in flow of spam

The flow of spam also saw two massive drop-offs during last year, in September and December, which Microsoft said was due to the elimination of two sources – the Cutwail Spambot and Rustock. While Cutwail was taken out as part of an operation by security researchers, Rustock re-emerged in January and has begun sending spam again.

Now in its tenth year, Microsoft’s Security Intelligence Report provides in-depth perspectives on software vulnerabilities, exploits, malicious and potentially unwanted software and security breaches in both Microsoft and third party software.

The full report can be downloaded here.  

Gordon Smith 

Gordon Smith was a contributor to Silicon Republic