by Andy Patrizio
Over the years, Microsoft has done a decent job at hardening its operating systems, to the point that the bad guys are now targeting the application layer instead of the OS for their malware to latch onto. And from the looks of anti-malware vendor Kaspersky Labs latest IT Threat Evolution report, Microsoft’s apps are pretty solid, too. Oracle’s Java and Adobe’s Acrobat and Flash on the other hand, have a lot of work to do.
The report found that 56% of exploits blocked in Q3 use Java vulnerabilities while another 25% use exploits in Acrobat Reader. Windows and Internet Explorer accounted for just four percent of all exploits and Microsoft was not represented at all in the top 10 most severe exploits.
Out of the top 10, two involved Oracle Java, three involved Adobe Flash, one involved Shockwave and one involved Adobe Reader. The other three involved iTunes, QuickTime and WinAMP, a music player published by AOL.
Roel Schouwenberg, senior researcher at Kaspersky Labs, pulled no punches in his criticism of Oracle. “Where other companies have improved their security posture to varying degrees, over the years Oracle has stood completely still. No efforts have been made to make the software more secure or at least improve the updating mechanism. Their response to security vulnerabilities has been completely inadequate as well, having been aware of easy-to-fix security vulnerabilities for months without fixing them. Simply put, Oracle’s lack of response proves that it’s best to go ahead and uninstall Java,” he said.
Oracle did not respond to repeated requests for comment.
Adobe, on the other hand, has been investing a lot into security, said Schouwenberg. “They introduced a sandbox in Reader X that really made Acrobat a much, much tougher target. As a result, the attackers have been going after Flash more. In recent times, Adobe has been improving the update experience. There’s still some room for improvement, but it’s a lot better now,” he said.
Schouwenberg also complimented Apple, saying the company was still seriously lacking in the security response department early this year, but in recent months there are signs they’re trying to improve this situation.
Microsoft’s great showing came from its experience in software development lifecycle management and the automatic updates, pushed out every second Tuesday on what is known as Patch Tuesday. “There haven’t been too many zero-days which have hit them this year. At the same time, they’re generally quite quick to respond and automatic updates by default. It’s the overall package that puts Microsoft in a good spot, for sure,” he said.
Another disturbing trend: the bad guys are really after Android OS, especially version 2.3.6 (a.k.a. “Gingerbread”). In Q3 2012, 28% of all mobile devices attacked by malware were running Gingerbread. Gingerbread and Android OS 4.0.x, a.k.a. “Ice Cream Sandwich,” were the targets of 91% of all Android malware attacks that occurred on mobile devices.
More than half (57%) of all malware detected on smartphones were SMS Trojans designed to steal money from victims’ mobile accounts by sending SMS messages to premium rate numbers.