November 29, 2007 1:40 PM PST

Study: 'Huge jump' in Microsoft flaws since last year

The past year has seen a massive increase in the number of flaws found in Microsoft software, according to vulnerability-scanning company Qualys.

Between 2006 and 2007, there was an almost threefold rise in Microsoft flaws, Qualys said on Wednesday.

"We have seen a huge jump in the vulnerabilities in Microsoft Office products," said Amol Sawate, manager of Qualys' vulnerability-management lab. "These charts show growth of nearly 300 percent from 2006 to 2007, primarily in new Excel vulnerabilities that can easily be exploited by getting unsuspecting users to open Excel files sent via e-mail and instant message."

Alan Paller, director of research for the Sans Institute, a computer-security training organization, said that the reason more vulnerabilities were being found was that it was becoming increasingly profitable for crooks to target the software.

"It isn't that Microsoft isn't doing a better job," Paller said. "The reason (is that) it is so lucrative to find vulnerabilities in Excel and Word, so there are a lot of (hackers) searching for them."

Microsoft declined to comment for this story.

Tom Espiner of ZDNet UK reported from London. CNET News.com's Ina Fried contributed to this report from San Francisco.

See more CNET content tagged:
Qualys Inc., jump, flaw, vulnerability, Microsoft Excel

64 comments

Join the conversation!
Add your comment
Worthy of an article?
MS is on record on this one already. It's linux's fault.
Posted by scdecade (329 comments )
Reply Link Flag
MS needs to start over
And built around security, not do what they did with XP and Vista and put half assed ideas and implementations as an afterthought.

MS continues to get abused for one reason:

It is trivial.

It is so trivial that a 12 year old kid who doesn't know what a buffer overflow is, much less how to write the simplest program can exploit MS products with ease.

MS are not so commonly and easily exploitable because it is "popular".

MS products get ripped up because MS is incompetent and doesn't want to put in the effort and money to design and write software correctly.
Posted by The_Decider (3097 comments )
Reply Link Flag
RE: MS needs to start over
I think its Naive to think that security is "trivial". Are you suggesting the writers of FireFox are less accomplished than 12 year kids?

Note: I run version 2.0.0.10 of FireFox. Do you think each new version of FireFox is fixing security issues or do they just like releasing new numbers?

From what i understand, the MS code is quite excellent, but its burdened by huge backward compatibility legacy.

No-one else seems to be perfect...even without this legacy.

Ps anyone notcied there doesn't seem to be any statistics, or data backing this up?
Posted by andrew.badge (3 comments )
Link Flag
You Are Absolutely Right
Microsoft has milked the NT Kernel to the end of it's useful life. It is time for a complete rewrite of the entire Windows Operating System, and when I mean complete I am talking about a new IDE Page and start developing.

It is time for the NT Phase 2 Kernel. Microsoft's biggest issue is the fact that Windows is bloated, every version of every NT release is in Vista they of course are not executable but they are there nonetheless. I believe the minwin kernel is a step in the right direction. MS needs to collaboarate first, decide what will be the easiest/most advanced architecure for future developements and technologies. Meaning what Windows architecture provides the most ease of adaptation and begin again.

If this is done Windows would be less bloated, more responsive, and of course faster. Not to mention on the cutting edge of software design. With a brand new Windows MS could absolutely blow Mac OS X out of the water.
Posted by StargateFan (122 comments )
Link Flag
I experience this: Wanted to use OneCare...
I wanted to use OneCare. Maybe tried is a better word. MS is doing something wrong. Why is all their software so BLOATED compared to others? MS is going the wrong direction. Even though we know they hope your old PC run like crap when they release new software because it is so FAT and BLOATED.

Lean and mean is the way of the future. Small application footprints and access to massive power. People will get what they want regardless of what MS does---regardless of their monopoly or power. They should be cluing into this about now? Change will come to MS very soon if they continue on the same path.

Anyway, OneCare (just one example) SUCKS 100% and nearly killed my computer. I got rid of it an went with NOD32 and wow the old thing can run again.
Posted by onlyauser (220 comments )
Reply Link Flag
Better than Symantec!
If you want to experience the ultimate in bloatware, try any of symantec's consumer oriented products. Even their recent offerings are keen on sucking up disk space and system resources, and getting their claws so deep into the OS that even their own un-installs won't un-install them.
Posted by The Harper (41 comments )
Link Flag
I Agree -- OneCare Live is Worst MS Product to Date
Tried it, couldn't stand it. Removed it and rebuked Microsoft for issuing such trash.

I think thus shows that no one source of software can be all things to all people. Nor should they try unless they have made an assessment that the produt really offers value. I think Microsoft shot itself in the foot selling a bad product via their good name.
Posted by pmchefalo (135 comments )
Link Flag
In unrelated news
As reported on c|net earlier today "The economy is fine, at least for
Microsoft"
Posted by Lee in San Diego (608 comments )
Reply Link Flag
Link to article?
Is there a link to some data that backs this up? How do you define huge?
Posted by roger.d.miller (41 comments )
Reply Link Flag
Why backup the article with facts
when you can throw any (boy I hope this guy doesn't get paid for this) anti-MS bs you want to? I just don't understand the hate. If you don't like MS, don't buy it. It really isn't that hard. And, it's just code. Binary when simplified. How does one come to HATE off and on switches? Weirdos.
Posted by suyts (824 comments )
Link Flag
What about Mac?
As someone who has to support both Mac and Windows I'd be curious to see the numbers of Mac flaws found this year compared to last.

I know perception can get skewed but it sure has felt like I've been doing a lot more Apple software patching over the past year than I have in the past.
Posted by pctec100 (105 comments )
Reply Link Flag
Mac rules
Minor problems with OS X10.4 and 10.5 when it came out, all fixed
and working like a charm. Never have any problems.

Linux even better, runs smooth.
Posted by RompStar_420 (772 comments )
Link Flag
Now thats a good one!
Just what kind of patches do you run on a Mac?? Apple provides patch installs automatically for its OS and it seems to me they do not come out as frequent nor are they as serious as they are on Windows.

Also, if you are running Microsoft Office on a Mac then you may have a few vulnerabilities but not nearly to the extent of Windows/Office.
Posted by pilaa (253 comments )
Link Flag
Hahahaha . . .
"As someone who has to support both Mac and Windows I'd be
curious to see the numbers of Mac flaws found this year
compared to last. I know perception can get skewed but it sure
has felt like I've been doing a lot more Apple software patching
over the past year than I have in the past." . . .

You mean you had to hit the "Software Update" button?

How many "viruses/trojans/bots/owned machines" did you have
to service?
How much security software did you have to install on all those
Macs?

How much "patching" did YOU actually do?

Bet you get paid the same as you do "supporting" Win machines
though - don't ya ;-)
Posted by K.P.C. (227 comments )
Link Flag
WGA Focus
Perhaps Microsoft would do better concentrating on making it's programs better and dump all that effort into stopping pirates with WGA. In the end they will have secure garbage while everyone moves to a different better platform.
Posted by GrandpaN1947 (187 comments )
Reply Link Flag
WGA Gone
Look back about a week or so ago on CNet... I might have been in the blogs but Microsoft is "done with the confusion of WGA"
Posted by timber2005 (720 comments )
Link Flag
SANS Security? That's an oxymoron
SANS used to be a reputable organization. Now their leader admits to censoring any messages that disagree with them or prove them wrong- especially on security issues.

Nope, it used to be good, now it's just a pay-for-training thing that doesn't actually teach anything. Don't believe me? Attend any conference and see for yourself.

But overall, it is true about flaws being found more. Apple has had a huge increase, as has Linux. Don't see a real change there.
Posted by Vegaman_Dan (6683 comments )
Reply Link Flag
The name alone
Sans in French means: Without.
So there name is "Without Security"
Doesn't sound like a trustworthy source to me.
Posted by DrtyDogg (3084 comments )
Link Flag
Proof, Please.
<a class="jive-link-external" href="http://isc.sans.org" target="_newWindow">http://isc.sans.org</a>

Go ahead - prove to us that even 1/2 of what you're saying is even remotely true.
Posted by Penguinisto (5042 comments )
Link Flag
So has the number of hackers looking....
for the flaws. There is major money to be had now finding flaws first. Either being an employee of a private IT security company that sells subscriptions to detailed issues to companies. Then there is the "black" side of the business where if you find a flaw that no one else has found yet and is exploitable (Zero-Day) then you can sell it to those that wish to compromise for proprietary data (targeted attacks), those that wish to push SPAM (botnets), and those that wish to build up their inventory of bots to "lease" out for any number of malicious reasons (DDoS, SPAM, building their own herd).

It just so happens that Windows is the most prevalent OS out there so why would people waste their time on a minority share when they have all of these Windows systems out there?

It has been published and predicted that Vista (sigh) will be a major target in 2008 or when the market share gets to about the 10% mark.
That is going to be a turkey shoot since it has so many new lines of code that haven't been under the microscope as much as Windows XP.

Same goes for the Mac OSX and Linux. We are already starting to see it in the Mac community where it was almost null before now a Mac needs an anti-virus solution (God forbid).

More money can be made finding flaws in MS products than any other so while the flaws continue to be found they also continue to be fixed (maybe not in a reasonable time) but fixed none the less.

I will feel better with a more mature OS such as Windowss XP on a go-forward basis than Vista because the saame people that find the flaws haven't really concentrated on Vista yet but they have had 7 years to hack at XP.
Posted by fred dunn (793 comments )
Reply Link Flag
Your point?
"[i]now a Mac needs an anti-virus solution (God forbid).[/i]"

Really?

Please, name one single in-the-wild virus for OSX. Just one. I don't mean silly trojan packages which no A/V solution could hope to stop, but a real honest-to-Heaven virus.

Windows is targeted so much because it's so damned easy to target.

Lookit: If a burglar had a choice bwteen busting into:

* a fortified home owned by a passionate NRA member and his family, with someone always home, and with lots of pro-gun bumper stickers and signage about the place...

vs...

* a house three doors down with all the doors and windows unlocked, signs and bumper stickers proclaiming love for all things Mother-Earthish, nobody home half the time, and just now we see an empty HDTV carton sitting in with the trash?

Well Gee... that's a real tough choice, isn't it?

Hackers see the same choice: Either spend a lot of time, heavy risk, and more than just a little effort into breaking into those OSX or Linux boxes - or just help himself to the bazillions of soft and typically defenseless-by-design Windows targets out there, and for little to no effort.

/P
Posted by Penguinisto (5042 comments )
Link Flag
MS relese a lot of software last year!!!
what do you expect? No MS doesn't release flawless software, no one does.
Posted by FutureGuy (742 comments )
Reply Link Flag
...but 3x as much software?
We're thinking not...

Face it - MSFT software is crap.

/P
Posted by Penguinisto (5042 comments )
Link Flag
Speaking of Windows users
Unfortunately we must become more wary, even suspicious about what we do and especially what we open in our Emails and even when we do this we will fail. All of us will be outwitted, it is inevitable, sooner or later we will let our guard down and trust again or be lost in the moment and err. This is the most insidious of all the internet security issues here our own human natures are pitted against us.
Posted by Dango517 (199 comments )
Reply Link Flag
This comes over 2 years after Microsoft increased their security policy!
Mirosoft said they were taking security more seriously over 2 years ago.

(* ROFLOL *)

Their actions and these flaws speak louder than words!

Walt
Posted by wbenton (522 comments )
Reply Link Flag
They're NOT Microsoft Flaws!
Isn't it obvious that the flaws are in the HUMAN SCUM that do nothing else in their lives but try to break into systems and software???

As stated inside the article, MS does a pretty good job of keeping up with the SCUM by plugging th vulnerabilities. If people were honest and didn't try to constantly do harm to others, no form of security would ever be necessary.

OK ..... dream over ..... reboot!
Posted by EscapePod (40 comments )
Reply Link Flag
LOL
So you would not say that a person who went out of town for a week but left his door wide open is not responsible for getting all his stuff stolen?

Why should a bank spend money on vaults and other forms of security? After all, if someone steals all their money it isn't the banks fault.

Microsoft leaves the door open, it is their fault that Windows, Office, etc, etc, etc is so damned flawed.

It is flawed at its root, all the patches and half-assed band-aids will not solve the problem. It is impossible to make a fool proof OS. As others have shown it is possible to make an OS that unskilled children can not attack. Why can't Microsoft?
Posted by The_Decider (3097 comments )
Link Flag
Err.... what?
Okay, I grok what you're getting at. But seriously, while I agree that malware authors aren't exactly angel material, I sincerely doubt that they forced Microsoft to use bad architecture and write bad code.

/P
Posted by Penguinisto (5042 comments )
Link Flag
Tongue in cheek, yes, but ....
... think about how unbloated any software would be if it didn't need code for security purposes.

If malfunctioning humans would instantly drop dead the moment they try to do harm to an OS or app, or rob a bank ..... etc.

Meanwhile, I gotta go check my firewall settings ....
Posted by EscapePod (40 comments )
Link Flag
Penguinisto is going to save us all !!!
He is "correct" any and all sensible posts with his God-Like prowess.

Don't bother trying to make any sense of any subject because Penguinisto knows it all and will show you the error in your ways.

Thank you Penguinisto for being here to show all of us how wrong we all are.

You are my hero.
Posted by fred dunn (793 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.