Study: 'Huge jump' in Microsoft flaws since last year

The past year has seen a massive increase in the number of flaws found in Microsoft software, according to vulnerability-scanning company Qualys.

Between 2006 and 2007, there was an almost threefold rise in Microsoft flaws, Qualys said on Wednesday.

"We have seen a huge jump in the vulnerabilities in Microsoft Office products," said Amol Sawate, manager of Qualys' vulnerability-management lab. "These charts show growth of nearly 300 percent from 2006 to 2007, primarily in new Excel vulnerabilities that can easily be exploited by getting unsuspecting users to open Excel files sent via e-mail and instant message."

Alan Paller, director of research for the Sans Institute, a computer-security training organization, said that the reason more vulnerabilities were being found was that it was becoming increasingly profitable for crooks to target the software.

"It isn't that Microsoft isn't doing a better job," Paller said. "The reason (is that) it is so lucrative to find vulnerabilities in Excel and Word, so there are a lot of (hackers) searching for them."

Microsoft declined to comment for this story.

Tom Espiner of ZDNet UK reported from London. CNET News.com's Ina Fried contributed to this report from San Francisco.

[scdecade]

Worthy of an article?

MS is on record on this one already. It's linux's fault.

[The_Decider]

MS needs to start over

And built around security, not do what they did with XP and Vista and put half assed ideas and implementations as an afterthought.

MS continues to get abused for one reason:

It is trivial.

It is so trivial that a 12 year old kid who doesn't know what a buffer overflow is, much less how to write the simplest program can exploit MS products with ease.

MS are not so commonly and easily exploitable because it is "popular".

MS products get ripped up because MS is incompetent and doesn't want to put in the effort and money to design and write software correctly.

[onlyauser]

I experience this: Wanted to use OneCare...

I wanted to use OneCare. Maybe tried is a better word. MS is doing something wrong. Why is all their software so BLOATED compared to others? MS is going the wrong direction. Even though we know they hope your old PC run like crap when they release new software because it is so FAT and BLOATED.

Lean and mean is the way of the future. Small application footprints and access to massive power. People will get what they want regardless of what MS does---regardless of their monopoly or power. They should be cluing into this about now? Change will come to MS very soon if they continue on the same path.

Anyway, OneCare (just one example) SUCKS 100% and nearly killed my computer. I got rid of it an went with NOD32 and wow the old thing can run again.

[Lee in San Diego]

In unrelated news

As reported on c|net earlier today "The economy is fine, at least for
Microsoft"

[roger.d.miller]

Link to article?

Is there a link to some data that backs this up? How do you define huge?

[pctec100]

What about Mac?

As someone who has to support both Mac and Windows I'd be curious to see the numbers of Mac flaws found this year compared to last.

I know perception can get skewed but it sure has felt like I've been doing a lot more Apple software patching over the past year than I have in the past.

[GrandpaN1947]

WGA Focus

Perhaps Microsoft would do better concentrating on making it's programs better and dump all that effort into stopping pirates with WGA. In the end they will have secure garbage while everyone moves to a different better platform.

[Vegaman_Dan]

SANS Security? That's an oxymoron

SANS used to be a reputable organization. Now their leader admits to censoring any messages that disagree with them or prove them wrong- especially on security issues.

Nope, it used to be good, now it's just a pay-for-training thing that doesn't actually teach anything. Don't believe me? Attend any conference and see for yourself.

But overall, it is true about flaws being found more. Apple has had a huge increase, as has Linux. Don't see a real change there.

[fred dunn]

So has the number of hackers looking....

for the flaws. There is major money to be had now finding flaws first. Either being an employee of a private IT security company that sells subscriptions to detailed issues to companies. Then there is the "black" side of the business where if you find a flaw that no one else has found yet and is exploitable (Zero-Day) then you can sell it to those that wish to compromise for proprietary data (targeted attacks), those that wish to push SPAM (botnets), and those that wish to build up their inventory of bots to "lease" out for any number of malicious reasons (DDoS, SPAM, building their own herd).

It just so happens that Windows is the most prevalent OS out there so why would people waste their time on a minority share when they have all of these Windows systems out there?

It has been published and predicted that Vista (sigh) will be a major target in 2008 or when the market share gets to about the 10% mark.
That is going to be a turkey shoot since it has so many new lines of code that haven't been under the microscope as much as Windows XP.

Same goes for the Mac OSX and Linux. We are already starting to see it in the Mac community where it was almost null before now a Mac needs an anti-virus solution (God forbid).

More money can be made finding flaws in MS products than any other so while the flaws continue to be found they also continue to be fixed (maybe not in a reasonable time) but fixed none the less.

I will feel better with a more mature OS such as Windowss XP on a go-forward basis than Vista because the saame people that find the flaws haven't really concentrated on Vista yet but they have had 7 years to hack at XP.

[FutureGuy]

MS relese a lot of software last year!!!

what do you expect? No MS doesn't release flawless software, no one does.

[Dango517]

Speaking of Windows users

Unfortunately we must become more wary, even suspicious about what we do and especially what we open in our Emails and even when we do this we will fail. All of us will be outwitted, it is inevitable, sooner or later we will let our guard down and trust again or be lost in the moment and err. This is the most insidious of all the internet security issues here our own human natures are pitted against us.

[wbenton]

This comes over 2 years after Microsoft increased their security policy!

Mirosoft said they were taking security more seriously over 2 years ago.

(* ROFLOL *)

Their actions and these flaws speak louder than words!

Walt

[EscapePod]

They're NOT Microsoft Flaws!

Isn't it obvious that the flaws are in the HUMAN SCUM that do nothing else in their lives but try to break into systems and software???

As stated inside the article, MS does a pretty good job of keeping up with the SCUM by plugging th vulnerabilities. If people were honest and didn't try to constantly do harm to others, no form of security would ever be necessary.

OK ..... dream over ..... reboot!

[fred dunn]

Penguinisto is going to save us all !!!

He is "correct" any and all sensible posts with his God-Like prowess.

Don't bother trying to make any sense of any subject because Penguinisto knows it all and will show you the error in your ways.

Thank you Penguinisto for being here to show all of us how wrong we all are.

You are my hero.