Qualsys & Sans:'Huge jump' in Microsoft flaws since last year

<http://www.news.com/Study-Huge-jump-in-Microsoft-flaws-since-last
-year/2100-1002_3-6220719.html?part=rss&edId=3&tag=2547-1_3-0-5&su
bj=news>

Study: 'Huge jump' in Microsoft flaws since last year
By Tom Espiner
Special to CNET News.com
Published: November 29, 2007, 1:40 PM PST

The past year has seen a massive increase in the number of flaws found in
Microsoft software, according to vulnerability-scanning company Qualys.

Between 2006 and 2007, there was an almost threefold rise in Microsoft flaws,
Qualys said on Wednesday.

"We have seen a huge jump in the vulnerabilities in Microsoft Office
products," said Amol Sawate, manager of Qualys' vulnerability-management lab.
"These charts show growth of nearly 300 percent from 2006 to 2007, primarily
in new Excel vulnerabilities that can easily be exploited by getting
unsuspecting users to open Excel files sent via e-mail and instant message."

Alan Paller, director of research for the Sans Institute, a computer-security
training organization, said that the reason more vulnerabilities were being
found was that it was becoming increasingly profitable for crooks to target
the software.

"It isn't that Microsoft isn't doing a better job," Paller said. "The reason
(is that) it is so lucrative to find vulnerabilities in Excel and Word, so
there are a lot of (hackers) searching for them."

Microsoft declined to comment for this story.

Ahem. So the problem isn't due to Microsoft, it's due to
profiteering. Yeah. Right.

So, what are the flaws doing there in the Microsoft software in
the first place?

You'd think Sans would get the clue that better coding = fewer
vulnerabilities. Equally, crappier coding = more vulnerabilities.

So let's put the real blame where it belongs: In the software. If
the vulnerability is there, the hackers will come. That's the way
it always works.

Thank you Microsoft.

:-P

--
Fortune Magazine 11-29-05: What's your computer setup today?
Frederick Brooks: I happily use a Macintosh. It's not been
equalled for ease of use, and I want my computer to be a tool,
not a challenge.
<http://money.cnn.com/magazines/fortune/fortune_archive/2005/12/12/8363107/>
[Frederick Brooks is the author of 'The Mythical Man Month'.
He spearheaded the movement to modernize computer software
engineering in 1975.]
.

Relevant Pages

  • SecurityFocus Microsoft Newsletter #305
    ... Microsoft Office security, part one ... Microsoft Internet Explorer Multiple COM Object Color Property Denial of Service Vulnerabilities ... An attacker may leverage these issues to execute arbitrary server-side script code on an affected computer with the privileges of the webserver process. ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #306
    ... Microsoft Office security, part two ... Microsoft Internet Explorer COM Object Instantiation Daxctle.OCX Heap Buffer Overflow vulnerability. ... Cybozu Garoon Multiple SQL Injection Vulnerabilities ...
    (Focus-Microsoft)
  • Re: [Full-disclosure] Microsofts Real Test with Vista is Vulnerabilities
    ... So if they can earn more from the subscription based security solution where is the incentive to make the OS more secure? ... I am far from a Microsoft marketing expert... ... Microsoft's Real Test with Vista is Vulnerabilities ...
    (Full-Disclosure)
  • SecurityFocus Microsoft Newsletter #360
    ... A Method of Testing VoIP security or Voice VLANs ... MICROSOFT VULNERABILITY SUMMARY ... Online Armor Personal Firewall SSDT Hooks Multiple Local Vulnerabilities ...
    (Focus-Microsoft)
  • [Full-disclosure] Microsofts Real Test with Vista is Vulnerabilities
    ... Vista, the solution to all our problems: Microsoft portrays Vista as ... anything from the end of software vulnerabilities to the end of spyware. ... Last December Noam wrote of eBay bids on an Excel 0day vulnerability, ...
    (Full-Disclosure)