Vulnerability marketplace sparks hike in critical Microsoft flaws.
Microsoft patched 133 'critical' or 'important' vulnerabilities in 2006, more than doubling the number from 2005, according to data collected by security vendor McAfee.
Both Microsoft and McAfee pointed to a variety of factors as the cause for the rise in vulnerabilities, but none of those suggested that there is anything wrong with the quality of Microsoft's code.
Dave Marcus, security research and communications manager at McAfee, told vnunet.com that Microsoft's software was not necessarily at fault, but that the overall success of the company's products made Microsoft a popular target for an ever-expanding market for exploits and malware.
"When it comes to talking about vulnerabilities, the existence of a vulnerability in and of itself does not mean that there is an increase in risk, " said Marcus.
"The rise in critical vulnerabilities really just means a rise in discoveries; the vulnerabilities were there in the first place."
Marcus pointed out that detecting and removing every possible vulnerability in an application like Windows or Office, which can contain millions of lines of code, would be nearly impossible.
Vulnerability researchers and malware writers are focusing their bug searches on critical vulnerabilities. Because they can be exploited to install malware and spyware, they are the most useful for commercial exploitation.
"The critical vulnerability is definitely the holy grail," said Marcus.
Mark Miller, director of the Microsoft security response centre, agreed that the increased monetary value placed on the discovery and exploitation of security vulnerabilities is causing more vulnerabilities to be found.
"I think there is a rise across the industry," he said. "Microsoft's increase is relative to that."
Marcus believes that Microsoft's market domination has put it in the spotlight for security researchers and malware authors, and that less popular applications yield a smaller pool of potential victims.
"Targets of opportunity is a big deal," he said.
Both Microsoft and McAfee agree that the new security features in Windows Vista have the ability to affect the number of critical vulnerabilities published next year, but neither thinks that Vista will provide a "magic bullet " against security exploits.
"I think [Vista] will have a positive impact on what some of these vulnerabilities can do. It goes a long way to mitigating the impact of certain types," said Marcus.
"But at the end of the day the vulnerability comes down to the code, and hackers will continue to find vulnerabilities in the code."
Jeff Jones, director of Microsoft's security technology unit, told vnunet.com that, while Vista sports major security improvements, it is only one in a very large stable of Microsoft products.
Many of those have yet to be moved over to Microsoft's security focused development programme.
"We are adding one new product to the list. [The McAfee report] is across all of our products. So there's a distinction between how many products we have versus that product," he said.
Marcus added that, overall, he expects the trend of reported vulnerabilities in Microsoft products to continue in 2007.
"You will definitely continue to see a rise in the number of vulnerabilities. There are theoretically tens of thousands of vulnerabilities waiting to be discovered," he said.
But Marcus was hesitant to place the blame solely on Redmond. "Even when you look at all the critical vulnerabilities, Microsoft does a good job of patching things as soon as it can," he said.
"So it does a very good job of trying to keep things as patched as possible. And at the end of the day that's really all you can ask for."
Microsoft critical vulnerability boom persists
By Shaun Nichols on Dec 18, 2006 2:59PM