Vulnerability disclosures in the second half of 2013 were up 6.5 percent from the first six months of the year industry-wide, according to a new report from Microsoft.
The stats were included in Microsoft’s latest Security Intelligence Report. According to the company, the number of vulnerability disclosures during the final half of the year remained below their peak in the first half of 2012 and well below levels seen prior to 2009, when totals of 3,500 disclosures or more were not uncommon for six-month periods.
High-severity vulnerability disclosures decreased 8.8 percent industry-wide in the second half of 2013 after increasing by 20.4 percent from the second half of 2012 to the first half of 2013. These vulnerabilities accounted for 31.5 percent of total disclosures in the second half of last year, compared to 31.6 percent in the preceding six months.
“New research conducted by Trustworthy Computing’s Security Science team shows a 70 percent decline in the number of severe vulnerabilities (those that can enable remote code execution) that were exploited in Microsoft products between 2010 and 2013,” blogged Tim Rains, director of Trustworthy Computing at Microsoft. “This is a clear indication that newer products are providing better protection, even in cases where vulnerabilities exist. While this trend is promising, cybercriminals aren’t giving up.”
Vulnerabilities in applications other than web browsers and operating system applications increased 34.4 percent in during the last half of 2013, and accounted for 58.1 percent of total disclosures for the period, the report noted. Operating system vulnerabilities increased 48.1 percent in the last six months of the year, going from last place to second. Overall, operating system vulnerabilities accounted for 17.6 percent of total disclosures for the period.
After reaching a high point in the first six months of 2013, operating system application vulnerabilities decreased 46.3 percent in the second half of the year, accounting for 14.7 percent of total disclosures for the period. Browser vulnerability disclosures dropped 28.1 percent during the final half of the year, accounting for 9.6 percent of total disclosures during the period.
“While this trend is promising, cybercriminals aren’t giving up,” Rains blogged. “Our data shows that in the second half of 2013 there was a noticeable increase in cybercriminal activity where attackers used deceptive practices. The continued increase in deceptive tactics is striking; in the last quarter of 2013, the number of computers impacted as a result of deceptive tactics more than tripled.”
The full report can be viewed here.
In addition to releasing its latest Security Intelligence Report, Microsoft on Tuesday released updated versions of white papers focused on software supply chain security and critical infrastructure protection.