Every six months, Microsoft releases a Security Intelligence Report — it’s a compilation of statistics and research about security vulnerabilities that affect Microsoft software.
The most recent report has a chart that should give you pause:
Click to enlarge
Both charts show the breakdown of attacks that occur when browsing the web — the area in blue is malware that attacks bugs in Microsoft code (Internet Explorer, Media Player), and the area in red is malware that attacks third-party software (Quicktime, Flash, Firefox).
The top chart is data collected from Windows XP machines in the last six months.
The bottom chart is Windows Vista.
If that doesn’t make your eyebrows shoot up, keep staring at the chart for a moment. If you’re surfing the web under Windows XP, nearly half of the viruses and malware that can infect your system are, sadly, due to bugs in Internet Explorer or other Microsoft code.
When you’re surfing the web under Vista, however, you’re nearly twenty times more likely to get a virus because of a bug in third-party software than because of a bug in Vista.
This is what I don’t get about people downgrading from Vista to XP. This is why I don’t feel safe browsing the web on an XP machine.
That tiny blue sliver is the result of a lot of hard work and reengineering — not only on behalf of the Vista and Internet Explorer teams, but on behalf of everyone else at Microsoft who ships software. We’ve introduced a lot of methodology and a lot of technology into our engineering cycle to make this the norm across all of our products.
You can grab more info from the report here, if you’re interested.
8 Comments
Wow, that is pretty convincing. I postponed buying a new computer because I did not want Vista. Maybe I should do some rethinking.
One question that needs to be asked is, given the novelty of Vista over XP, can you attribute any siginificant difference to the lack of rampant Vista bugs to date?
Interesting read, nonetheless. Makes me happier with my recent installation. Guess I had some good advice ;-)
Jason, if I understand correctly, you’re asking whether the lack of security bugs in Vista can be explained by the shorter amount of time attackers have had to explore its depths? That’s a great question.
From what I’ve heard, a lot of the security work that went into Vista involved reengineering specific parts of the operating system that we knew were risky — instead of fixing security bugs one-by-one, we mitigated entire classes of attack by adding new security boundaries or reengineering how features worked.
For example, when you launch IE 7 in Vista you actually get two processes — one that does things like sending network requests and updating the browser cache on the filesystem, and one that does the actual HTML rendering, hosts plugins and ActiveX controls, etc. That second process is locked down such that a malicious plugin or ActiveX control can’t write to the hard drive, modify registry keys, launch new processes, etc. The worst that can happen is that your browser crashes and you have to restart the process.
Obviously this doesn’t mitigate DOS issues where a malicious control could hang the browser or find a bug in our HTML parsing to make a page load very slowly, but you can see how rearchitecting IE gave us a chance to do more than just fix bugs as we found out about them. It’s likely that, over time, attackers will find ways to bypass these new protections — but we’ve single-handedly rendered their current arsenal impotent.
(Note that, unless I’m mistaken, Firefox does not work like this — if you exploit a bug in Firefox, you can take over the system.)
That was, in fact, my question ;-)
Very clever… and definitely answers my previous post.
BTW, I totally passed this information off in a conversation the other day like it was something obvious and well known ;-) Thanks!
Well, it should be common knowledge — so thanks for doing your part!
I, being computer mostly illiterate…how does this affect Microsoft Me users.
Windows ME would be considerably less secure than Windows XP.