Microsoft: Security Efforts Bearing Fruit

"Attackers are getting more efficient," said Mike Nash, vice president for Microsoft's security business unit. "Where once there were 17 days between the disclosure of a vulnerability and the release of an exploit, with Zotob, it was just three-and-a-half days.

"But Microsoft is also getting faster," said Nash. "We had Windows Malicious Software Removal Tool updated for Zotob in just hours."

Nash's claim that Microsoft's picking up the pace isn't always backed by independent third parties. According to eEye Digital Security, for example, which tracks the vulnerabilities it's submitted to Microsoft and logs the days it takes the Redmond, Wash.-based developer to produce a patch, Microsoft burned an average of 132 days to come up with a fix for an eEye-uncovered bug.

During a QandA part of the monthly Security 360 Webcast that Nash hosted Tuesday, a Microsoft spokesperson responded to a TechWeb query about the long time-to-patch by saying that "creating security updates that effectively fix vulnerabilities is an extensive process.

"There are many factors that impact the length of time between the discovery of a vulnerability and the release of a security update, and every vulnerability presents its own unique challenges. Once the update is built, it must be tested with the different operating systems and applications it affects, then localized for many markets and languages." Nash also boasted that overall security is improving on the Windows platform, and again claimed that since Windows XP SP2 was released in 2004, the number of security bulletins Microsoft's released has dropped significantly. "The good news is that the industry has made great strides in its efforts to combat and prevent malicious software attacks," said Nash.

By Symantec's reckoning, however, security has not noticeably improved.

The number of viruses and worms targeting Windows, for example, ballooned by 48 percent in the first half of 2005, compared to the last six months of 2004, Symantec said in its semi-annual Internet Security Threat Report. And the number of vulnerabilities industry wide -- not Microsoft's specifically -- reached an all-time high of 1,862, a 31 percent surge over 2004's second half and 25 percent more than the previous record of the first half of 2003.

During Nash's presentation -- which included interviews with Microsoft employees, industry analysts, and officials from security firms -- there was also much talk about how malicious code campaigns have changed, a trend analyzed by virtually every security vendor or consultant this year and last.

"Malicious code writing is a business now," said Natalie Lambert, analyst at Forrester Research.

According to Symantec's report, that's true, and in spades.

"Financially-motivated attacks have reached an unprecedented rate," said Oliver Friedrichs, senior manager of Symantec's security response research team. "There's an entirely new economy focused on the bartering and purchasing of confidential information. And with the higher stakes, we're seeing professional caliber efforts going into today's threats."

Nash also laid out a checklist of best practices and touted such Microsoft products as its anti-spyware and still-in-beta OneCare, a security and anti-virus service that has yet to be priced by the company.

He also recommended that enterprise managers tune into his monthly hour-long Webcasts. "One of the most important defenses against malicious software is keeping informed and vigilant," he concluded.