Symantec's comprehensive security report on the malware industry from July 1 to December 31, 2007, is now available (PDF) in its 100+ page glory. While some parts of the report simply reiterate data we're well aware of—it's no surprise to read that the majority of malicious activity originates in the US—there's also a great deal of new information here that we'll examine below.

OS/software vulnerabilities

Symantec broke down information on patch development time by operating system and by the type of vulnerability encountered. Surprisingly, Microsoft had the shortest time-to-patch over both halves of 2007. In the first part of the year, Microsoft released 38 patches (two of which involved third-party applications) with an average deployment time of 18 days. From July to December, Microsoft released 22 patches with an average patch time of six days.

Red Hat came in second, at 32 days for the second half of the year and 36 days in the first half. That's quite a bit higher than Microsoft's average, but of the 227 vulnerabilities Red Hat patched in 2007, 226 of them involved third-party applications. Apple, Sun, and HP all lag well behind Microsoft and Red Hat, though the gap for each company differs significantly between the first and second halves of last year.

Vulnerability breakdowns by type are listed above for each company. Client-side attacks are vulnerabilities that specifically affect network client software and software that receives data from network clients. These vulnerabilities do not directly affect web browsers, though web browsers may provide the initial vector of attack. Local vulnerabilities, in this context, refers to vulnerabilities that can only be exploited by a person physically located at the machine in question.

Full Story At Source

Send via e-mail | Submit to Digg | Add to Live Favorites