One topic that I get asked about each time we release a new volume of the Microsoft Security Intelligence Report is malware infection rates for operating systems and service packs. We released new data late this year in volume 13 of the report (SIRv13). Accordingly, I am dedicating a couple of articles to discussing the new malware infection rate data for operating systems and service packs.
The latest data published in SIRv13, focusing on the first half of 2012, shows that newer operating systems, such as Windows 7 and Windows Vista, continue to have lower malware infection rates than older operating systems like Windows XP Service Pack 3. Windows 7 Service Pack 1 and Windows Server 2008 R2 had the lowest infection rates in the second quarter of 2012. The infection rate for Windows XP Service Pack 3, the oldest supported operating system from Microsoft, is the highest by a significant margin.
Figure 1: Average infection rate (CCM) by operating system and service pack in the first half of 2012 (1H12)
Figure 2: Infection rate (CCM) trends for supported 32-bit version of Windows XP, Windows Vista, and Windows 7, from the first quarter of 2011 (1Q11) to the second quarter of 2012 (2Q12)
Why was Windows Vista SP1’s malware infection rate higher than that of Windows XP SP3 in 3Q11?
The primary factor is that Windows Vista Service Pack 1 went out of lifecycle support on July 12, 2011. After this date, no new security updates are provided for Windows Vista SP1. Windows Vista Service Pack 2 should be installed on systems still running Windows Vista Service Pack 1, immediately, in order to get the benefits of security updates again.
The malware infection rate of Windows 7 RTM and Windows 7 SP1 has increased over the past several quarters, what factors are contributing to this?
Figure 3 shows how the malware infection rates of various versions of Windows 7 have seen slight increases between the second quarter of 2011 and the second quarter of 2012. I characterize these as slight increases because it’s important to keep in mind that these numbers are measured in computers cleaned per mille (CCM) – meaning how many computers were found to be infected for every 1,000 computers that the Malicious Software Removal Tool scanned during those periods. So a CCM increase to 3.1, for example, is an increase to 0.31% (3.1 out of 1,000).
Figure 3: The malware infection rate (CCM) for Windows 7 RTM and Windows 7 Service Pack 1, 32 bit (x86) and 64 bit (x64) editions, in the second quarter of 2011 (2Q11) and the second quarter of 2012 (2Q12), with the increase between periods
I think there are a number of factors contributing to this slight upward trend. One thing to keep in mind about the threat landscape is that nothing stays the same for very long. Hundreds of millions of users are using their computers constantly – installing applications and services on their systems, visiting websites, exchanging emails and instant messages, downloading documents, music and videos, and interacting with social networks. Through no fault of their own, some of these activities increase the attack surface of their devices. In addition, vulnerability researchers are trying to find new classes of vulnerabilities using ever more sophisticated tools and techniques, while attackers are constantly looking for ways to exploit vulnerabilities and/or use social engineering to compromise systems. The time period I am discussing here certainly had all of these factors in play, and perhaps at higher levels than in the past. Some examples of these factors include:
A long term trend of a relatively high number of vulnerability disclosures in applications
A relatively large percentage of vulnerability disclosures in applications likely plays a factor in higher infection rates. Since the first half of 2011 there have been more than 3,000 vulnerability disclosures in applications across the entire industry. Vulnerability disclosures in applications typically represent the vast majority (70%+) of vulnerability disclosures in all software (applications, operating systems, and browsers) in any half year period during this time. In time, as more applications are installed on a system, that system’s risk profile increases. With application vulnerabilities accounting for over 70% of all vulnerability disclosures, it’s not surprising to see two or three more systems out of 1,000 being cleaned of malware. In the first half of 2012, operating system vulnerabilities dropped to the lowest level since 2003. But vulnerability disclosures in applications increased significantly in the first half of 2012, representing over 70% of all disclosures for the period.
Figure 4: Industry-wide operating system, browser, and application vulnerabilities, 2H09–1H12
An increase in exploit activity, Trojans, and Trojan Downloaders & Droppers
I don’t remember a period during the last five years when exploit activity was higher than it has been over the past year (for more context see recent article: Exploit Activity at Highest Levels in Recent Times: The Importance of Keeping All Software Up To Date). In the past, in a region where attackers were very active, I might expect to find one exploit on the top 10 list of threats there. But today, many regions have multiple exploits on their top 10 lists. The “Black Hole” exploit kit and exploitation attempts of Java vulnerabilities are the primary reasons for this. In addition, Trojans and Trojan downloaders/droppers, two categories of severe threats, seem to be making a resurgence in popularity among attackers. As seen in Figure 5, detections of all these threat categories have been trending higher recently. Even in locations with consistently low malware infection rates, like Finland for example, there are more of these more severe threats than in the past.
Figure 5: Detections by threat category, 1Q11–2Q12, by percentage of all computers reporting detections
Figure 6: The top 10 malware and potentially unwanted software families in Finland in 2Q12
The factors I outlined here are certainly contributing to the slight increases in the malware infection rates of Windows 7 based systems. That said, Windows 7 still has the lowest infection rates of any client operating system we report on in the SIR.
Call to Action
If you are still running systems with Windows XP SP2 or Windows Vista SP1 in your environment, you need to install the latest service pack on these systems immediately as they are no longer automatically receiving new security updates from Microsoft. End of support for Windows XP SP3 is April 8, 2014. Migrate to Windows 7 or Windows 8 ASAP.
- Deploy security updates for all software you have in your environment in a timely manner; this includes all software from all vendors, not just Windows operating systems.
- Use anti-malware software from a reputable vendor and keep it up to date.
- Use newer versions of software and newer service packs where possible to get the security benefits of the latest development practices, tools and security mitigations.
Now that I have discussed the malware infection rate trends for operating systems and some factors influencing them, in my next article I will examine the specific families of threats that we find most often on Windows 7, Windows Vista, and Windows XP based systems.