Microsoft Security Intelligence Report 2H07

sir4-cover

Yesterday, Microsoft published the new Security Intelligence Report for the 2nd half of 2007. (home page is http://www.microsoft.com/sir, and the download page is here).

As one of the contributors for the report, I’d like to highlight the findings summary for the Industry vuln trends:

  • Vulnerability disclosures decreased by about 5 percent in 2007, reversing a multiyear trend of increasing disclosures. Almost all of this decrease was observed in the second half of the year, which had the fewest disclosures since 2H05.
  • Despite the decrease, the number of new disclosures across the industry remains in the thousands, with the number of disclosures in 2007 surpassing that of every other year in the study except 2006.
  • The Common Vulnerability Scoring System (CVSS) used to score vulnerabilities in the NVD was revised in 2007 to increase its accuracy, consistency, and applicability. Retroactively applying the new formula to vulnerabilities disclosed in previous years classifies a much higher percentage of vulnerabilities as High-severity than was previously
    the case. The vulnerabilities disclosed in 2007 continue this trend, with High-severity vulnerabilities accounting for about half of the total number of vulnerabilities.
  • Vulnerabilities requiring a Low-level of complexity in order to exploit accounted for
    about half of all vulnerabilities disclosed in 2H07. Although this number is relatively
    large, the number has declined significantly from earlier periods.

Here is the high level trend chart from the report:

sir4-vulns

Regards ~ Jeff

About the Author
Jeff Jones

Principal Cybersecurity Strategist

Jeff Jones a 27-year security industry professional that has spent the last decade at Microsoft working with enterprise CSOs and Microsoft's internal teams to drive practical and measurable security improvements into Microsoft products and services. Additionally, Jeff analyzes vulnerability trends Read more »