‫ Microsoft Security Intelligence Report (1st section)


Number: IRCRE201411182
Date: 2014-11-17
Volume 17 of the Microsoft Security Intelligence Report (SIRv17) provides in-depth perspectives on software vulnerabilities, software vulnerability exploits, malicious and potentially unwanted software, and security breaches. Microsoft developed these perspectives based on detailed trend analysis over the past several years, with a focus on first and second quarters of 2014.
Vulnerability Severity
The following figure shows Industry-wide vulnerability disclosures by severity, 2H11–1H14.
The industrywide vulnerability disclosure count remained stable from 2H13 to 1H14 across all three severity categories. High-severity vulnerability disclosures declined 0.2 percent, medium-severity vulnerability disclosures declined 0.4 percent, and low-severity vulnerability disclosures declined 3.5 percent.
Medium-severity vulnerabilities—those with CVSS scores from 4 to 7.9—accounted for the largest share of vulnerability disclosures in 1H14, at 59.6 percent of all disclosures, and low-severity vulnerabilities accounted for the smallest share, at 9.3 percent. High-severity vulnerabilities accounted for nearly a third of all disclosures at 31.1 percent, with the highest-severity vulnerabilities—those scoring 9.9 or more on the CVSS scale—accounting for 6.1 percent of all vulnerabilities.
Vulnerability Complexity
Some vulnerabilities are easier to exploit than others, and vulnerability complexity is an important factor to consider in determining the magnitude of the threat that a vulnerability poses. A high-severity vulnerability that can only be exploited under very specific and rare circumstances might require less immediate attention than a lower-severity vulnerability that can be exploited more easily.
The following figure shows Industry-wide vulnerability disclosures by access complexity, 2H11–1H14.
Disclosures of Low-complexity vulnerabilities—those that are the easiest to exploit—increased from 43.7 percent of all disclosures in 2H13 to 48.1 percent in 1H14, becoming the largest category during the period.
Disclosures of Medium-complexity vulnerabilities accounted for 47.7 percent of all disclosures in 1H14, a decrease from 51.7 percent in 2H13.
Disclosures of High-complexity vulnerabilities decreased to 4.1 percent of all disclosures in 1H14, down from 4.6 percent in 2H13.
Operating System, Browser, and Application Vulnerabilities
The following figure shows Industry-wide operating system, browser, and application vulnerabilities, 2H11–1H14.
Vulnerabilities in applications other than web browsers and operating system applications increased 5.5 percent in 1H14 and accounted for 59.7 percent of total disclosures for the period.
Operating system application vulnerability disclosures increased 2.6 percent in 1H14, and accounted for 16.3 percent of total disclosures for the period.
Core operating system vulnerability disclosures, the only category of disclosures to decrease in 1H14, declined 25.2 percent in 1H14, going from second to third place. Overall, operating system vulnerabilities accounted for 12.5 percent of total disclosures for the period.
Browser vulnerability disclosures increased by 30.6 percent in 1H14, the largest percentage increase of any category, but still only accounted for 11.6 percent of total disclosures for the period.
Vulnerability Disclosures
The following figure charts vulnerability disclosures for Microsoft and non-Microsoft products, 2H11–1H14.
Microsoft vulnerability disclosures decreased from 177 disclosures in 2H13 to 160 in 1H14, a decrease of 9.6 percent.
The following figure shows the prevalence of different types of exploits detected by Microsoft antimalware products in each quarter in 2H13 and 1H14.
Encounters with Java exploits decreased each quarter, but remained the second most commonly encountered type of exploit in 1H14.
Encounters with exploits that target operating systems decreased slightly and accounted for the third highest percentage of exploits.
Encounters with document, Adobe Flash Player, and browser exploits remained mostly stable during the first half of the year, and each accounted for a small percentage of total exploits.


بدون نظر
شما برای نظر دادن باید وارد شوید


تاریخ ایجاد: 27 آبان 1393



امتیاز شما
تعداد امتیازها:0