Report: Microsoft fastest to issue OS patches, Sun slowest
Symantec’s comprehensive security report on the malware industry from July 1 to December 31, 2007, is now available (PDF) in its 100+ page glory. While some parts of the report simply reiterate data we’re well aware of – it’s no surprise to read that the majority of malicious activity originates in the US – there’s also a great deal of new information here that we’ll examine below.
OS/software vulnerabilities
Symantec broke down information on patch development time by operating system and by the type of vulnerability encountered. Surprisingly, Microsoft had the shortest time-to-patch over both halves of 2007. In the first part of the year, Microsoft released 38 patches (two of which involved third-party applications) with an average deployment time of 18 days. From July to December, Microsoft released 22 patches with an average patch time of six days.
Source: Ars Technica
Red Hat came in second, at 32 days for the second half of the year and 36 days in the first half. That’s quite a bit higher than Microsoft’s average, but of the 227 vulnerabilities Red Hat patched in 2007, 226 of them involved third-party applications. Apple, Sun, and HP all lag well behind Microsoft and Red Hat, though the gap for each company differs significantly between the first and second halves of last year.
Vulnerability breakdowns by type are listed above for each company. Client-side attacks are vulnerabilities that specifically affect network client software and software that receives data from network clients. These vulnerabilities do not directly affect web browsers, though web browsers may provide the initial vector of attack. Local vulnerabilities, in this context, refers to vulnerabilities that can only be exploited by a person physically located at the machine in question.
The pie charts above show rough similarities in vulnerability distribution between Mac OS X and Red Hat, and between Sun and HP. Microsoft’s Windows XP and Windows Vista, meanwhile, have the dubious distinction of being the only operating system where a full 82 percent of vulnerabilities were found either client-side or directly within the browser.
Once we break down vulnerability by browser plugin, Microsoft’s high percentage of client-side and browser vulnerabilities makes perfect sense. Symantec tracked patch reports for Adobe Acrobat, Flash, Quicktime, ActiveX, Windows Media Player, Mozilla browser extensions, Opera widgets, and Sun Java. Over the course of 2007, a total of 476 vulnerabilities were found across all eight categories. Care to guess who came in first?
These two pie charts clearly demonstrate just how insecure Java really is—the number of Java-based vulnerabilities rose 250 percent from July-December as compared to January-June.
Okay, in all seriousness, ActiveX is the overwhelming culprit here. Microsoft put a great deal of emphasis on security when it developed Vista, and Internet Explorer 7 contains its own set of security enhancements meant to limit ActiveX attacks, but there are gaping holes in Microsoft’s security in this area—or perhaps it’s simply more accurate to say Microsoft has managed to create a few threads of security amid the gaping vulnerabilities of ActiveX. The percentage of ActiveX-derived exploits should fall in 2008 as an increasing number of users make the jump to Windows Vista.
The report indicates that theft of data and identities is a continuing problem in both the private and public sectors. As of December 31, a majority of US states (39) had passed laws mandating that any company doing business within that state must notify its customers immediately once a security breach has been detected. The first graph below details the percentage of breaches by sector, while the second graph lists the total number of identities exposed.
The two charts paint very different pictures of the identity theft problem. The education sector accounts for the largest single number of breaches, at 24 percent of the total, but the actual number of identities compromised as a result of these breaches is comparatively tiny, at one percent of the total. This same scenario fits health care sector breaches as well; despite accounting for 16 percent of total incidents, only one percent of the potential identity theft breaches reported came from the health care industry.
Government and financial institutions accounted for the vast majority of breaches, though both were helped along by a series of high-profile attacks. The UK’s HMRC (Her Majesty’s Revenue and Customs) managed to lose two unencrypted disks with 25 million personal records on them, while the American-based Fidelity National Information Services lost 8.5 million credit card numbers (and the personal data associated with them) thanks to the actions of a disgruntled employee.
As for how the thefts occurred, theft or loss of physical materials or information account for the overwhelming majority of cases. The report speculates that in at least some of these cases, the hardware in question was stolen for its own sake. In these cases, the personal information in question was either a secondary target or not a target at all.
Living in America… you are what you own
As we’ve discussed in previous articles, the malware industry is a booming, increasingly commercial business where the name of the game is first obtaining and then selling personal information. Unsurprisingly, bank account data is the biggest seller, and potentially worth the most money, with prices ranging from $10 to $1,000 depending on the size of the account. Credit card data can sell for 40 cents to $20, full personal identities range from $1-$15, and eBay accounts round out the top of the list.
Pricing tends to vary depending on the value of the account, the location of the person in question (European personal data is more expensive than US personal data) and the type of information acquired. Symantec reports that buyers tend to favor bank accounts because these are easier to anonymously drain, though a full suite of personal identification information on someone is more effective for certain other, longer-term or more complicated schemes.
Conclusion
Several of the write-ups on this Symantec report have focused on the “Your identity is worth $15” angle, but there’s far more data here than even we’ve discussed. The report includes a section on good security practices, further information on many of the attack vectors discussed here, and additional information on enterprise-level security. If you’re looking for the executive summary without digging into the entire report, you can find it here (PDF).