Microsoft Security Intelligence Report: January through June 2008

The Microsoft Security Intelligence Report for the period covering January through June 2008 has been released.

Executive Summary
Full report
Key findings summary

The full report is a hefty 150 pages long.  I have only had time to take the briefest of glances at it, and even then I have focused only on my particular field of interest – browser based exploits and malware/potentially unwanted software. 

A showstopper statistic is to left of screen.  As you can see, the percentage of browser based exploits from the perspective of Microsoft software versus third party software swas 42.3% (MS) : 57.5% (TP) for Windows XP and an amazing 5.7% (MS) : 94.3% (TP) for Windows Vista.  The results highlight just how important it is to ensure that *all* software on your computer is kept up to date and, to quote the authors of the MSIR report “uninstall software you don’t actively use. Malicious code can exploit vulnerabilities in software whether you use it or not“.

The report also reveals that:

• In 1H08, the total amount of malware and potentially unwanted software removed from computers worldwide increased by more than 43 percent compared to 2H07.
• Despite this overall increase, there has been a 36% DECREASE in the number of computers infected with Win32/Winfixer family malware.
• Although patterns of malware detected and removed by Microsoft security products varied across countries and regions, trojan downloaders and droppers constituted more than 30 percent of all malware removed by Microsoft security products worldwide.  This trend builds on the significant increases in the volume of trojan downloaders and droppers detected over the past several years.
• As a general rule, infection rates tend to be higher in developing countries/regions than in developed countries/regions, as reported by the Malicious Software Removal Tool (MSRT).
• The most common system locale for victims of browser-based exploits was Chinese, accounting for 47 percent of all incidents, followed by US English with 23 percent of incidents.
• The infection rate for Windows Vista is significantly lower than that of its predecessor, Windows XP, at any service pack level.
• The infection rates for the 64-bit editions of Windows Vista were both lower than those of their 32-bit counterparts.
• For each version of the operating system, higher service pack levels meant lower rates of infection. This trend can be observed consistently across client and server operating systems half-year period over half-year period.

Now, with regards to the 43% increase in detected malware and potentially unwanted software, the authors note that:

• The ability of the tools themselves to detect malware continues to improve as researchers analyze samples and refine their detection algorithms.
• Several prevalent malware families were added to the MSRT in 1H08, causing them to be detected for the first time on many previously unprotected computers.
• More computers worldwide are running Windows Vista, which includes Windows Defender (available as a separate download for earlier versions of Windows) and allows the user to download the monthly Microsoft Windows Malicious Software Removal Tool (MSRT) by default.
• Increased usage of Microsoft security products, like Windows Live OneCare and Microsoft Forefront Client Security, has contributed to the increase.
• Any genuine increase in the prevalence of malware and potentially unwanted software would naturally tend to be reflected in the statistics, as well.

User actions and reactions

The following two statistical tables are very interesting – they show us the most removed, and least removed, detections.  I struggle to understand, for example, why anybody would choose to ignore the detection of “severe” threats.  The least removed statistics are unsurprising.