from norton(ugh!!!) :
http://www.symantec.com/enterprise/theme.jsp?themeid=threatreport
http://www.internetnews.com/security/article.php/3667201
Symantec, usually no fan of Microsoft, recently released their 11th Internet Security Threat Report, in which they found, “Windows had the fewest number of patches and the shortest average patch development time of the five operating systems it monitored in the last six months of 2006.”
It took Microsoft an average of 21 days to roll out a patches for 39 security holes in Windows (a more than 100% increase in vulnerabilities over the same period in 2006), beating #2 ranked Red Hat Linux which required an average of 58 days to fix 208 security issues. Of course, of those 208 holes in Red Hat, only 2 were high-severity and 76 were considered low-risk.
Apple, for it’s part, needed an average of 66 days to fix 43 vulnerabilities. (I guess the Cupertino kids were busy working on that iPhone hotness).
They criticize the operational system which allow they to sell antivirus most.
Aren’t they shooting their own foot?
“Windows had the fewest number of patches and the shortest average patch development time of the five operating systems it monitored in the last six months of 2006.”
Totally ignores the issue of whether the bad guys actually had a chance to take advantage of the vulnerabilities. This from the Symantec Threat Report:
[b]Zero-day vulnerabilities[/b]A zero-day vulnerability is one for which there is sufficient public evidence to indicate that the vulnerability
has been exploited in the wild prior to being publicly known. It may not have been known to the vendor
prior to exploitation, and the vendor had not released a patch at the time of the exploit activity.
Zero-day vulnerabilities represent a serious threat in many cases because there is no patch available for
them and because they will likely be able to evade purely signature-based detection. It is the unexpected
nature of zero-day threats that causes concern, especially because they may be used in targeted attacks
and in the propagation of malicious code. As Symantec predicted in Volume IX of the Internet Security
Threat Report, a black market for zero-day vulnerabilities has emerged that has the potential to put them into the hands of criminals and other interested parties.
In the second half of 2006, Symantec documented 12 zero-day vulnerabilities (figure 16). This is a
significant increase compared to the first half of 2006 and the second half of 2005 when only one zero-
day vulnerability was documented for each reporting period.Numerous high-profile zero-day vulnerabilities were discovered in the second half of 2006. This activity
peaked in September of 2006, when four zero-day vulnerabilities were documented. The majority of these
were client-side vulnerabilities that affected Office applications, Internet Explorer, and ActiveX controls.
Many of these may have been discovered through the use of fuzzing technologies.
Key words: Office, Internet Explorer, ActiveX controls.
Take a peek at this story from the Washington Post:
http://blog.washingtonpost.com/securityfix/2007/03/post_3.html
I originally reported there were about 3,220 victims scattered throughout the United States. After reading the story, a security officer at a financial institution notified me that he has been monitoring this same trove of stolen data since its inception. I've agreed not to name the individual or his employer.According to his data, the attackers have been running this operation since at least October 2006. That is when they began exploiting an unpatched vulnerability in Microsoft Windows PCs. Microsoft issued a patch for the flaw a few weeks later that month.
While he was unable to confirm more than 3,200 current, active victims, the data he collected suggests that the criminals have stolen data from at least 10 times that number of machines since December, according to the statistics page used by the criminals. As the graphic shows, the stats page showing the total number of compromised systems was reset in November.
Be sure to take a look at the statistics from the bad guys themselves:
Top ten browsers:
Explorer 99.42%
Avant 0.31%
Maxthon 0.17%
Firefox 0.03%
Top ten operating systems
Windows XP 87.70%
Windows 2000 12.12%
Windeows 2003 0.13%
Other 0.03%
Windows NT 0.00%
Windows ME 0.00%
Linux 0.00%
Somebody wake me up when the bad guys start pwning anything other than Windows via Internet Explorer, ActiveX or Orifice.