Study: 'Huge jump' in Microsoft flaws since last year

The past year has seen a massive increase in the number of flaws found in Microsoft software, according to vulnerability-scanning company Qualys.

Between 2006 and 2007, there was an almost threefold rise in Microsoft flaws, Qualys said on Wednesday.

"We have seen a huge jump in the vulnerabilities in Microsoft Office products," said Amol Sawate, manager of Qualys' vulnerability-management lab. "These charts show growth of nearly 300 percent from 2006 to 2007, primarily in new Excel vulnerabilities that can easily be exploited by getting unsuspecting users to open Excel files sent via e-mail and instant message."

Alan Paller, director of research for the Sans Institute, a computer-security training organization, said that the reason more vulnerabilities were being found was that it was becoming increasingly profitable for crooks to target the software.

"It isn't that Microsoft isn't doing a better job," Paller said. "The reason (is that) it is so lucrative to find vulnerabilities in Excel and Word, so there are a lot of (hackers) searching for them."

Microsoft declined to comment for this story.

Tom Espiner of ZDNet UK reported from London. CNET News.com's Ina Fried contributed to this report from San Francisco.

[scdecade]

Worthy of an article?

MS is on record on this one already. It's linux's fault.

[The_Decider]

MS needs to start over

And built around security, not do what they did with XP and Vista and put half assed ideas and implementations as an afterthought.

MS continues to get abused for one reason:

It is trivial.

It is so trivial that a 12 year old kid who doesn't know what a buffer overflow is, much less how to write the simplest program can exploit MS products with ease.

MS are not so commonly and easily exploitable because it is "popular".

MS products get ripped up because MS is incompetent and doesn't want to put in the effort and money to design and write software correctly.

[andrew.badge]

RE: MS needs to start over

I think its Naive to think that security is "trivial". Are you suggesting the writers of FireFox are less accomplished than 12 year kids?

Note: I run version 2.0.0.10 of FireFox. Do you think each new version of FireFox is fixing security issues or do they just like releasing new numbers?

From what i understand, the MS code is quite excellent, but its burdened by huge backward compatibility legacy.

No-one else seems to be perfect...even without this legacy.

Ps anyone notcied there doesn't seem to be any statistics, or data backing this up?

[StargateFan]

You Are Absolutely Right

Microsoft has milked the NT Kernel to the end of it's useful life. It is time for a complete rewrite of the entire Windows Operating System, and when I mean complete I am talking about a new IDE Page and start developing.

It is time for the NT Phase 2 Kernel. Microsoft's biggest issue is the fact that Windows is bloated, every version of every NT release is in Vista they of course are not executable but they are there nonetheless. I believe the minwin kernel is a step in the right direction. MS needs to collaboarate first, decide what will be the easiest/most advanced architecure for future developements and technologies. Meaning what Windows architecture provides the most ease of adaptation and begin again.

If this is done Windows would be less bloated, more responsive, and of course faster. Not to mention on the cutting edge of software design. With a brand new Windows MS could absolutely blow Mac OS X out of the water.

[onlyauser]

I experience this: Wanted to use OneCare...

I wanted to use OneCare. Maybe tried is a better word. MS is doing something wrong. Why is all their software so BLOATED compared to others? MS is going the wrong direction. Even though we know they hope your old PC run like crap when they release new software because it is so FAT and BLOATED.

Lean and mean is the way of the future. Small application footprints and access to massive power. People will get what they want regardless of what MS does---regardless of their monopoly or power. They should be cluing into this about now? Change will come to MS very soon if they continue on the same path.

Anyway, OneCare (just one example) SUCKS 100% and nearly killed my computer. I got rid of it an went with NOD32 and wow the old thing can run again.

[The Harper]

Better than Symantec!

If you want to experience the ultimate in bloatware, try any of symantec's consumer oriented products. Even their recent offerings are keen on sucking up disk space and system resources, and getting their claws so deep into the OS that even their own un-installs won't un-install them.

[pmchefalo]

I Agree -- OneCare Live is Worst MS Product to Date

Tried it, couldn't stand it. Removed it and rebuked Microsoft for issuing such trash.

I think thus shows that no one source of software can be all things to all people. Nor should they try unless they have made an assessment that the produt really offers value. I think Microsoft shot itself in the foot selling a bad product via their good name.

[Lee in San Diego]

In unrelated news

As reported on c|net earlier today "The economy is fine, at least for
Microsoft"

[roger.d.miller]

Link to article?

Is there a link to some data that backs this up? How do you define huge?

[suyts]

Why backup the article with facts

when you can throw any (boy I hope this guy doesn't get paid for this) anti-MS bs you want to? I just don't understand the hate. If you don't like MS, don't buy it. It really isn't that hard. And, it's just code. Binary when simplified. How does one come to HATE off and on switches? Weirdos.

[pctec100]

What about Mac?

As someone who has to support both Mac and Windows I'd be curious to see the numbers of Mac flaws found this year compared to last.

I know perception can get skewed but it sure has felt like I've been doing a lot more Apple software patching over the past year than I have in the past.

[RompStar_420]

Mac rules

Minor problems with OS X10.4 and 10.5 when it came out, all fixed
and working like a charm. Never have any problems.

Linux even better, runs smooth.

[pilaa]

Now thats a good one!

Just what kind of patches do you run on a Mac?? Apple provides patch installs automatically for its OS and it seems to me they do not come out as frequent nor are they as serious as they are on Windows.

Also, if you are running Microsoft Office on a Mac then you may have a few vulnerabilities but not nearly to the extent of Windows/Office.

[K.P.C.]

Hahahaha . . .

"As someone who has to support both Mac and Windows I'd be
curious to see the numbers of Mac flaws found this year
compared to last. I know perception can get skewed but it sure
has felt like I've been doing a lot more Apple software patching
over the past year than I have in the past." . . .

You mean you had to hit the "Software Update" button?

How many "viruses/trojans/bots/owned machines" did you have
to service?
How much security software did you have to install on all those
Macs?

How much "patching" did YOU actually do?

Bet you get paid the same as you do "supporting" Win machines
though - don't ya ;-)

[GrandpaN1947]

WGA Focus

Perhaps Microsoft would do better concentrating on making it's programs better and dump all that effort into stopping pirates with WGA. In the end they will have secure garbage while everyone moves to a different better platform.

[timber2005]

WGA Gone

Look back about a week or so ago on CNet... I might have been in the blogs but Microsoft is "done with the confusion of WGA"

[Vegaman_Dan]

SANS Security? That's an oxymoron

SANS used to be a reputable organization. Now their leader admits to censoring any messages that disagree with them or prove them wrong- especially on security issues.

Nope, it used to be good, now it's just a pay-for-training thing that doesn't actually teach anything. Don't believe me? Attend any conference and see for yourself.

But overall, it is true about flaws being found more. Apple has had a huge increase, as has Linux. Don't see a real change there.

[DrtyDogg]

The name alone

Sans in French means: Without.
So there name is "Without Security"
Doesn't sound like a trustworthy source to me.

[Penguinisto]

Proof, Please.

<a class="jive-link-external" href="http://isc.sans.org" target="_newWindow">http://isc.sans.org</a>

Go ahead - prove to us that even 1/2 of what you're saying is even remotely true.

[fred dunn]

So has the number of hackers looking....

for the flaws. There is major money to be had now finding flaws first. Either being an employee of a private IT security company that sells subscriptions to detailed issues to companies. Then there is the "black" side of the business where if you find a flaw that no one else has found yet and is exploitable (Zero-Day) then you can sell it to those that wish to compromise for proprietary data (targeted attacks), those that wish to push SPAM (botnets), and those that wish to build up their inventory of bots to "lease" out for any number of malicious reasons (DDoS, SPAM, building their own herd).

It just so happens that Windows is the most prevalent OS out there so why would people waste their time on a minority share when they have all of these Windows systems out there?

It has been published and predicted that Vista (sigh) will be a major target in 2008 or when the market share gets to about the 10% mark.
That is going to be a turkey shoot since it has so many new lines of code that haven't been under the microscope as much as Windows XP.

Same goes for the Mac OSX and Linux. We are already starting to see it in the Mac community where it was almost null before now a Mac needs an anti-virus solution (God forbid).

More money can be made finding flaws in MS products than any other so while the flaws continue to be found they also continue to be fixed (maybe not in a reasonable time) but fixed none the less.

I will feel better with a more mature OS such as Windowss XP on a go-forward basis than Vista because the saame people that find the flaws haven't really concentrated on Vista yet but they have had 7 years to hack at XP.

[Penguinisto]

Your point?

"[i]now a Mac needs an anti-virus solution (God forbid).[/i]"

Really?

Please, name one single in-the-wild virus for OSX. Just one. I don't mean silly trojan packages which no A/V solution could hope to stop, but a real honest-to-Heaven virus.

Windows is targeted so much because it's so damned easy to target.

Lookit: If a burglar had a choice bwteen busting into:

* a fortified home owned by a passionate NRA member and his family, with someone always home, and with lots of pro-gun bumper stickers and signage about the place...

vs...

* a house three doors down with all the doors and windows unlocked, signs and bumper stickers proclaiming love for all things Mother-Earthish, nobody home half the time, and just now we see an empty HDTV carton sitting in with the trash?

Well Gee... that's a real tough choice, isn't it?

Hackers see the same choice: Either spend a lot of time, heavy risk, and more than just a little effort into breaking into those OSX or Linux boxes - or just help himself to the bazillions of soft and typically defenseless-by-design Windows targets out there, and for little to no effort.

/P

[FutureGuy]

MS relese a lot of software last year!!!

what do you expect? No MS doesn't release flawless software, no one does.

[Penguinisto]

...but 3x as much software?

We're thinking not...

Face it - MSFT software is crap.

/P

[Dango517]

Speaking of Windows users

Unfortunately we must become more wary, even suspicious about what we do and especially what we open in our Emails and even when we do this we will fail. All of us will be outwitted, it is inevitable, sooner or later we will let our guard down and trust again or be lost in the moment and err. This is the most insidious of all the internet security issues here our own human natures are pitted against us.

[wbenton]

This comes over 2 years after Microsoft increased their security policy!

Mirosoft said they were taking security more seriously over 2 years ago.

(* ROFLOL *)

Their actions and these flaws speak louder than words!

Walt

[EscapePod]

They're NOT Microsoft Flaws!

Isn't it obvious that the flaws are in the HUMAN SCUM that do nothing else in their lives but try to break into systems and software???

As stated inside the article, MS does a pretty good job of keeping up with the SCUM by plugging th vulnerabilities. If people were honest and didn't try to constantly do harm to others, no form of security would ever be necessary.

OK ..... dream over ..... reboot!

[The_Decider]

LOL

So you would not say that a person who went out of town for a week but left his door wide open is not responsible for getting all his stuff stolen?

Why should a bank spend money on vaults and other forms of security? After all, if someone steals all their money it isn't the banks fault.

Microsoft leaves the door open, it is their fault that Windows, Office, etc, etc, etc is so damned flawed.

It is flawed at its root, all the patches and half-assed band-aids will not solve the problem. It is impossible to make a fool proof OS. As others have shown it is possible to make an OS that unskilled children can not attack. Why can't Microsoft?

[Penguinisto]

Err.... what?

Okay, I grok what you're getting at. But seriously, while I agree that malware authors aren't exactly angel material, I sincerely doubt that they forced Microsoft to use bad architecture and write bad code.

/P

[EscapePod]

Tongue in cheek, yes, but ....

... think about how unbloated any software would be if it didn't need code for security purposes.

If malfunctioning humans would instantly drop dead the moment they try to do harm to an OS or app, or rob a bank ..... etc.

Meanwhile, I gotta go check my firewall settings ....

[fred dunn]

Penguinisto is going to save us all !!!

He is "correct" any and all sensible posts with his God-Like prowess.

Don't bother trying to make any sense of any subject because Penguinisto knows it all and will show you the error in your ways.

Thank you Penguinisto for being here to show all of us how wrong we all are.

You are my hero.