The era of operating system vulnerability is slowly drawing to a close, with more than nine out of ten published software vulnerabilities now appearing in applications, Microsoft's latest half-yearly report has suggested.
According to the company's Security Intelligence Report for the first half of 2008, OS vulnerabilities are now stable at between 6 and 8 percent of those reported, a level they have been at since the first half of 2006. Vulnerabilities in Windows XP and Vista have shown a modest decrease in 2008, continuing a similar trend over the same period.
But the report paints a more complex picture in terms of which platforms are the ones most likely to run vulnerable applications. Vista scores well, with Microsoft-based software accounting for only 6 percent of vulnerabilities on that platform, with none of the top ten browser-based holes hitting the OS.
Over the period, the biggest Vista-based software vulnerabilities appeared to be in two ActiveX controls installed only in China, which would seem to confirm the relative obscurity of serious issues on the platform.
XP, by contrast, is still Microsoft's biggest headache, with 42 percent of all app holes on that platform coming from Microsoft's own software.
Using the number of PC's cleaned per 1,000 executions of Microsoft's own Malicious Software Removal Tools (MSRT), Visa SP1 scored 4.5, while the different updates of XP scored between 9.2 and 33.8. All of this confirms what has been well established in the past - XP and its applications are still relatively vulnerable, while the newer Vista and its applications do considerably better.
Across the industry as a whole, software vulnerabilities classified by the industry standard Common Vulnerability Scoring System v2 (CVSSv2) as ‘severe' now account for 7.3 percent of those made public, with a startling 41 percent classified as ‘high'. More encouragingly, Microsoft reports, only 10.4 percent of holes had publically-available exploit code.
In truth, it is extremely hard to gauge from the report how Windows is stacking up against rival platforms such as Apple or Linux in terms of OS and app holes, but the overall message to take away appears to be that the OS is not the main worry. The big concern now is browsers on all platforms, including Windows.
Analysing these by locale showed that China was the most likely place for browser-based exploits to hit, with 46.6 percent of them happening in that country across all platforms. The US came second on 23 percent, Russia third with 7 percent and the UK some way back with 2.4 percent.