Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Microsoft Security Incident Report

1.909 visualizaciones

Publicado el

Presentation given at the Microsoft UK Architect Council Meeting at Bletchley Park

Presented by Cliff Evans

  • Inicia sesión para ver los comentarios

Microsoft Security Incident Report

  1. 1. Report addresses data and trends observed over the past several years, but focuses on the second half of 2008 (2H08) Major sections cover The Threat Ecosystem Software Vulnerability Disclosures Software Vulnerability Exploits Browser-Based and Document Format Exploits Security and Privacy Breaches Malicious Software and Potentially Unwanted Software Email, Spam, Phishing and Drive-By Download Threats Special Focus on Rogue Security Software Report builds on five previous editions of the SIR
  2. 2. Software Vulnerability Disclosures Common Vulnerabilities and Exposures Website http://cve.mitre.org http://www.first.org/cvss National Vulnerability Database (NVD) Web site http://nvd.nist.gov/ Security Web sites Vendor Web sites and support sites Security Breach Notifications http://datalossdb.org
  3. 3. Malicious Software and Potentially Unwanted Software Data from several hundred million computers worldwide Some of the busiest services on the Internet (e.g. Hotmail) During 2H08 MSRT executed 2.2 billion times Since January 2005 total MSRT executions surpass 15 billion Also data from Windows Live Search and the Microsoft Windows Safety Platform
  4. 4. Disclosures in 2H08 down 3% from 1H08 Disclosure for all of 2008 down 12% from 2007 Industry-wide vulnerability disclosures by half-year, 2H03-2H08 3500 3000 2500 2000 1500 1000 500 0 2H03 1H04 2H04 1H05 2H05 1H06 2H06 1H07 2H07 1H08 2H08
  5. 5. Operating system, Browser and Application Disclosures – Industry Wide Operating system vulnerabilities – 8.8% of the total Browser vulnerabilities – 4.5% of the total Other vulnerabilities – 86.7% of the total Industry-wide operating system, browser, and other vulnerabilities, 2H03-2H08 3,500 3,000 2,500 2,000 1,500 1,000 500 0 2H03 1H04 2H04 1H05 2H05 1H06 2H06 1H07 2H07 1H08 Operating System Vulnerabilities Browser Vulnerabilities All Other 2H08
  6. 6. Microsoft vulnerability disclosures Microsoft vulnerability disclosures mirror the industry totals, though on a much smaller scale Vulnerability disclosures for Microsoft and non-Microsoft products, 2H03-2H08 3,500 3,000 2,500 2,000 1,500 1,000 500 0 2H03 1H04 2H04 1H05 Non-Microsoft 2H05 1H06 2H06 Microsoft 1H07 2H07 1H08 2H08
  7. 7. Top 10 browser-based exploits on Windows XP-based machines On Windows XP-based machines Microsoft software accounted for 6 of the top 10 vulnerabilities The most commonly exploited vulnerability was disclosed and patched by Microsoft in 2006 The 10 browser-based vulnerabilities exploited most often on computers running Windows XP, 2H08 10% 8% Microsoft Vulnerabilities Third-Party 6% Vulnerabilities 4% 2% 0%
  8. 8. Top 10 browser-based exploits on Windows Vista-based machines On Windows Vista-based machines Microsoft software accounted for none of the top 10 vulnerabilities The 10 browser-based vulnerabilities exploited most often on computers running Windows Vista, 2H08 20% 15% 10% Third-Party Vulnerabilities 5% 0%
  9. 9. Infection Patterns by Office Update Level RTM versions of Office suites targeted most often For Office 2000, all attacks observed were against the RTM version Breakdown of the sample set of targeted computers by Office update level for Office 2003, Office XP, and Office 2000 Office Office 2003 XP + SP2, 10. MS08- Office 4% Office 026, 8. 2003 7% XP SP1, 8.3 SP3, 18 % .3% Office Office Office XP 2000 2003 Office RTM, 60 RTM, 10 RTM, 80. XP .9% 0% 1% SP2, 12 .2%
  10. 10. Exploits against common document formats Attacks spiked significantly in 2H08 Both vulnerabilities exploited had updates available from Adobe and did not exist in the most recent version of Adobe products Adobe Reader exploits by month in 2008, indexed to the monthly average for 2H08 250% 200% 150% 100% 50% 0% CVE-2007-5659 CVE-2008-2992
  11. 11. Vulnerability of recent Adobe Reader releases Newer versions of Adobe products are not vulnerable to these attacks Vulnerability of recent Adobe Reader releases to CVE-2007-5659 and CVE-2008-2992 Adobe Reader Version Vulnerable to CVE-2007-5659? Vulnerable to CVE-2008- 2992? 7.0.0.0 Yes No 7.0.8.218 Yes No 8.0.0.456 Yes Yes 8.1.0.137 Yes Yes 8.1.3 No No 9.0.0 No No
  12. 12. Study of publicly reported security breaches worldwide Hacking and viruses less than 20% of all notifications in 2H08 50% of breaches in 2H08 resulted from stolen equipment Security breach incidents by type, expressed as percentages of the total, 2H07-2H08 50% 40% 30% 2H07 20% 10% 1H08 0% 2H08
  13. 13. Lowest Infection Rates Highest Infection Rates Location 1H08 Location 1H08 Vietnam 1.3 Serbia and Montenegro 77.0 Philippines 1.4 Russia 21.1 Macao S.A.R. 1.5 Brazil 20.9 Japan 1.7 Turkey 20.5 Morocco 2.1 Spain 19.2 Pakistan 2.2 Saudi Arabia 18.5 Austria 2.3 Korea 18.3 Luxembourg 2.5 Egypt 16.5 Algeria 2.6 Mexico 15.9 Finland 2.6 Guatemala 13.9 Puerto Rico 2.7 Portugal 13.4 UK heat map infection rate (CCM) was 5.7 in 2H08 i.e. 5.7 systems infected for every 1,000 systems MSRT executed on Worldwide average was 8.6 in 2H08
  14. 14. Disinfected Threats by Category in 2H08 Category Infected Trend Computers from Password 1H08 Stealers & Viruses 0.9% Monitoring Exploits Miscellaneous Trojans 831,506 + 75.7% Worms Tools 1.1% Spyware 2.3% 1.6% 0.7% Trojan Downloaders & Backdoors Droppers 689,709 + 7.4% 3.2% Adware 650,310 - 5.2% Misc. Potentially Misc. Trojans Misc. Potentially 28.5% Unwanted Unwanted Software 458,168 - 26.6% Software 15.7% Backdoors 93,481 - 18.0% Worms 66,956 + 10.0% Password Stealers & Adware Trojan Monitoring Tools 45,954 + 73.6% Downloaders & 22.3% Droppers Exploits 33,471 + 45.5% 23.6% Viruses 27,352 + 67.2% Spyware 20,105 + 29.1% TOTAL + 8.3%
  15. 15. Top 25 Families in United Kingdom Infected Infected Family Category computers Trend Rank Family Category computers 1 Win32/ZangoSearchA Adware 400,596 + 13.3% 13 Win32/SeekmoSea Adware 67,773 ssistant rchAssistant 2 Win32/Renos Trojan 329,368 + 213.3% 14 Win32/C2Lop Miscellaneous Trojans 60,333 Downloaders & Droppers 15 Win32/Meredrop Miscellaneous Trojans 50,837 3 Win32/Zlob Trojan 325,628 - 21.9% Downloaders & 16 Win32/Winfixer Misc. Potentially 50,750 Droppers Unwanted Software 4 Win32/Vundo Misc. Trojans 270,021 + 27.8% 17 Win32/Tibs Miscellaneous Trojans 48,411 5 Win32/ZangoShoppin Adware 205,727 + 20.0% greports 18 Win32/Starware Misc. Potentially 42,831 6 Win32/Hotbar Adware 179,861 + 2.4% Unwanted Software 7 Win32/FakeSecSen Misc. Trojans 125,321 New 19 Win32/WinSpywar Trojan Downloader 39,107 eProtect 8 Win32/FakeXPA Misc. Trojans 112,358 New 20 Win32/ConHook Miscellaneous Trojans 36,127 9 Win32/Antivirus2008 Misc. Potentially 86,509 New Unwanted 21 Win32/Vapsup Misc. Potentially 33,488 Software Unwanted Software 10 ASX/Wimad Trojan 84,944 22 Win32/OneStepSea Misc. Potentially 33,409 Downloaders & rch Unwanted Software Droppers 23 Win32/Alureon Miscellaneous Trojans 33,397 11 Win32/Playmp3z Misc. Potentially 83,190 Unwanted 24 Win32/Oderoor Backdoors 32,556 Software 25 Win32/AdRotator Adware 30,723 12 Win32/Agent Misc. Trojans 74,978
  16. 16. The infection rate of Windows Vista SP1 was 60.6% less than Windows XP SP3 Windows Vista with no service pack was 89.1% less than Windows XP with no service pack installed 35 33.6 30 25.2 # of Computers Cleaned per 25 1000 executions 20 15 12.9 10 6.5 5 3.7 2.6 3.0 0 2.5 3.8 2.7 1.3 0.6
  17. 17. Profiting from Fear and Trust Some rogue security software families mimic genuine Windows security warnings Clicking “Recommendations” initiates a registration and purchase process
  18. 18. Profiting from Fear and Trust Some variants of Win32/FakeXPA display fake “blue screen” error messages
  19. 19. Profiting from Annoyance Some rogue security software families employ intrusive pop-up messages to persuade the user to purchase
  20. 20. Microsoft Internet Safety Enforcement Team (ISET) partners with governments, law enforcement, and industry partners worldwide Several legal cases initiated against the creators and distributors of rogue security software For full details of these legal actions please refer to the full Security Intelligence Report volume 6 document
  21. 21. Microsoft Forefront Online Security for Exchange filtered 97.3 percent of all e-mail messages received in 2H08 Percentage of incoming messages filtered by Forefront Online Security for Exchange, 1H06-2H08 100% 80% 60% 40% 20% 0% 1H06 2H06 1H07 2H07 1H08 2H08
  22. 22. Spam Trends and Statistics Percentage of incoming messages blocked by Forefront Online Security for Exchange using edge-blocking and content filtering, 1H06-2H08 100% 80% 60% 40% 20% 0% 1H06 2H06 1H07 2H07 1H08 2H08 Edge Filtered Content Filtered Unfiltered
  23. 23. © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

×