The latest Microsoft Security Intelligence Report (Volume 11) has been released and contains some interesting information that Microsoft has collected from the execution of its Malicious Software Removal Tool (MSRT) and Internet Explorer SmartScreen® data.  Several of the results confirm what those of us in the network security monitoring community already know: Java is the most often exploited application (page xvii), Adobe Acrobat exploits account for most malicious documents (page xviii), and Adware is the most common type of malware identified (page xx).  Microsoft also stated that over a third of malware detected could spread via the AutoRun feature on removable media or on network shares.  Updates exist that help make the AutoRun feature in XP and Vista more like the one in Windows 7, which is to say more secure.  Deploy those updates.

Some of the more interesting information reported:

• What is not getting exploited as often as I would have suspected – Adobe Flash and Microsoft Office.  Even though two Flash vulnerabilities identified in the first half of 2011 led to an increase in exploits against Flash, Flash is getting exploited 7 times less often than Java!

• For the last four quarters (Q3 2010 through Q2 2011) the detection of trojan and backdoor malware has experienced a consistent slight downward trend.  An explanation could be the coordinated take down of several large botnets in the past year.  Microsoft has been involved in those take downs, so a shout of thanks goes to them!

• Another unexpected result: phishing attacks against social networks accounted for slightly less than half of all phishing attempts, while attacks against financial institutions accounted for slightly more than one-third of phishing attempts.  In April, Microsoft’s data indicated that 84% of all phishing attempts were against social networks.

So, what does this mean for security professionals in the corporate world?  Well, it’s nothing new really: protect the clients just as you would the servers.  Patching the OS is no longer enough.  You must patch applications regularly too – most importantly, Java, Acrobat, and Flash.   Disable AutoRun, if possible, but at a minimum deploy the updates from Microsoft for XP and Vista that make them more secure.  And, finally, warn your users about phishing attacks and discourage using the same password for personal social networking and financial websites as they use for their corporate login(s).

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

Microsoft appears set to display a new version of its search engine early next week.  The boys in Redmond have been scratching their heads trying to compete with the behemoth that is Google for the past few years.  Looks like this may be their latest attempt at assassination.

Sometimes I feel bad for Microsoft.  They have to compete with both Google and Apple.  Then I remember all the unfair things Microsoft has done to stifle competition in the past and I stop feeling bad.

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

Last week, in a surprise move, Microsoft announced Open Access to Protocol Documentation[microsoft.com]. Microsoft is releasing their protocol technical specifications for interoperability with Windows Vista, Windows Server 2008, Exchange, and others. This means third party and open source software will be able to “talk” directly with Windows components that had previously been closed to them. This is quite a change for Microsoft, who until now kept their protocols propriety, forcing vendors to reverse-engineer the protocols. This should result in greater support between open source products and Windows. I hope other companies follow Microsoft’s lead.

Michael Oglesby

The Director of Tactical Security Services at TRUE, Michael specializes in security testing initiatives with vast network and application security assessment experience. He oversees a team of analysts in conducting SAST- and DAST-based services. Certifications include CISSP, CSSLP, QSA and CNSS 4011-4015. He is also the Verizon 2010 Data Breach Investigation Report Cover Challenge Winner and second place finisher in the 2011 competition.

Twitter - More Posts