• Announcements

    • xper

      MSFN Sponsorship and AdBlockers!   07/10/2016

      Dear members, MSFN is made available via subscriptions, donations and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, become a site sponsor and ads will be disabled automatically and by subscribing you get other sponsor benefits.
JorgeA

Malware attack vectors

4 posts in this topic

I read somewhere recently that nowadays the majority of security threats to PCs and their users lies not in the operating system itself, but in the installed applications and in software platforms such as Flash and Java.

Does anybody have solid statistics (or a link to such) as to the proportion of PC attacks/infections that are attributable to the vulnerabilities that Mcrosoft deals with on Patch Tuesday, vs. those that are due to vulnerabilities in platforms like Flash and Java, or to the programs residing on a PC?

--JorgeA

0

Share this post


Link to post
Share on other sites

I guess you are asking a bit too much.

Particularly the "solid", but in any case it doesn't work really-really like this.

I mean, there are several stages that do not allow IMHO to draw a line.

A "vector" may be (in my personal experience the "best" vector is the user clicking on random things AND Outlook Express :ph34r:) Flash or Java, but 1/3 to 4/5 of *any* program nowadays access the Internet, at the very least to check for it's own updates, so it is difficult to say.

But the "vector" is only HOW the malware enters a machine, then the "payload" may make use of *any* vulnerability present on the system.

Loosely I would say that the patches on "Patch Tuesday" (those that tend to lead to "Exploit Wednesday" ;)) - with the singular exception of Internet Explorer (and Outlook/Outlook Express) patches - are largely preventing the "payload" from doing damages/work, and very little about the "vectors", but it is difficult - as said - to draw a line between the two.

jaclaz

0

Share this post


Link to post
Share on other sites

Thanks, jaclaz. It's too bad that there don't seem to be (and that it may not even be possible to have) good studies on this question that offer statistical breakdowns.

If the issue of hacking somebody's PC is a dynamic process where (say) the existence of a Java vulnerability then enables the use of a hole in the OS, then it all becomes a tangled mess and it's hard to tease out the causes.

--JorgeA

0

Share this post


Link to post
Share on other sites

Maybe this report will throw some light on the issue. Scroll down to the "Vulnerabilities" section.

If I read it right, it sounds like the great majority of security holes nowadays are in Adobe or Java products rather than the operating system.

Anybody have better (clearer or more definitive) numbers?

--JorgeA

P.S. Also check this out, especially the charts on pages 31 and 42 of the Full Report.

P.P.S. And one more:

Eighty-seven percent of the vulnerabilities found in the top 50 programs affected third-party programs such as Adobe Flash and Reader, Java, Skype, various media players and others outside the Microsoft ecosystem. That means the remaining 13 percent “stem from operating systems and Microsoft programs,” according to Secunia’s Vulnerability Review report, released yesterday.
Edited by JorgeA
0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.