"Windows had the fewest number of patches and the shortest average patch development time of the five operating systems it monitored in the last six months of 2006."
Totally ignores the issue of whether the bad guys actually had a chance to take advantage of the vulnerabilities. This from the Symantec Threat Report:
Zero-day vulnerabilities
A zero-day vulnerability is one for which there is sufficient public evidence to indicate that the vulnerability
has been exploited in the wild prior to being publicly known. It may not have been known to the vendor
prior to exploitation, and the vendor had not released a patch at the time of the exploit activity.
Zero-day vulnerabilities represent a serious threat in many cases because there is no patch available for
them and because they will likely be able to evade purely signature-based detection. It is the unexpected
nature of zero-day threats that causes concern, especially because they may be used in targeted attacks
and in the propagation of malicious code. As Symantec predicted in Volume IX of the Internet Security
Threat Report, a black market for zero-day vulnerabilities has emerged that has the potential to put them into the hands of criminals and other interested parties.
In the second half of 2006, Symantec documented 12 zero-day vulnerabilities (figure 16). This is a
significant increase compared to the first half of 2006 and the second half of 2005 when only one zero-
day vulnerability was documented for each reporting period.
Numerous high-profile zero-day vulnerabilities were discovered in the second half of 2006. This activity
peaked in September of 2006, when four zero-day vulnerabilities were documented. The majority of these
were client-side vulnerabilities that affected Office applications, Internet Explorer, and ActiveX controls.
Many of these may have been discovered through the use of fuzzing technologies.
Key words: Office, Internet Explorer, ActiveX controls.
Take a peek at this story from the Washington Post:
http://blog.washingtonpost.com/securityfix/2007/03/post_3.htmlI originally reported there were about 3,220 victims scattered throughout the United States. After reading the story, a security officer at a financial institution notified me that he has been monitoring this same trove of stolen data since its inception. I've agreed not to name the individual or his employer.
According to his data, the attackers have been running this operation since at least October 2006. That is when they began exploiting an unpatched vulnerability in Microsoft Windows PCs. Microsoft issued a patch for the flaw a few weeks later that month.
While he was unable to confirm more than 3,200 current, active victims, the data he collected suggests that the criminals have stolen data from at least 10 times that number of machines since December, according to the statistics page used by the criminals. As the graphic shows, the stats page showing the total number of compromised systems was reset in November.
Be sure to take a look at the statistics from the bad guys themselves:
Top ten browsers:
Explorer 99.42%
Avant 0.31%
Maxthon 0.17%
Firefox 0.03%
Top ten operating systems
Windows XP 87.70%
Windows 2000 12.12%
Windeows 2003 0.13%
Other 0.03%
Windows NT 0.00%
Windows ME 0.00%
Linux 0.00%
Somebody wake me up when the bad guys start pwning anything other than Windows via Internet Explorer, ActiveX or Orifice.
