Microsoft Mulls Malware

by

Look around you. Microsoft says that if you’re among a group of people working on a PC, at least one of you has a machine infected with malware.

Based on statistics gathered by its free scanning tool, Microsoft Safety Scanner, Microsoft reported last month that 5% of computers – one out of every 20 – are infected with malware. The average number of malware applications on each infected machine? Nearly 3.5. With this much malware out there, it’s little wonder we’re seeing such a high number of security breaches at major corporations.

But Microsoft’s figures could be drastically low or drastically high depending upon whom you believe.

CNN Money reported earlier this year:

Almost half of all personal computers in the U.S. are infected with malware -- but a new study shows that 83% of people think their PCs are clean.

Ed Bott, in his Microsoft Report at ZDNet, quickly refuted this figure. Bott said:

That statement is an outright fabrication. It is not true. It is not even remotely accurate, based on objective data. The actual number varies, depending on where you are in the world, but for Windows users who have automatic updates turned on, the worldwide average is somewhere between 1% and 2%. In my opinion, if you practice the basics of online security, the likelihood that your Windows PC is infected by malware is a tiny fraction of 1%.

So which is it? 1%? 5%? 50%? If one of the infected PCs is yours or is PC on your enterprise network, does it really matter what the correct percentage is?

Vanquishing Vulnerabilities

The fact of the matter is that the percentage of computers infected by malware doesn’t really matter. The bigger concern should be what needs to be done about it.

For my own part, I tend to be a bit fanatical about the security of my PC. I run virus scans every night, never open an attachment from someone I don’t know and avoid the games on Facebook like the plague…at least, ever since one of my nightly scans showed that one of those games parked a Trojan on my system.

I am probably the exception to the rule. The average PC user is far too trusting. Most assume that the creators of their software wrote invulnerable applications and they are content in the belief that their PCs are malware-free. They go on using their computers without concern for what they may be exposing and, by the time they do run some form of virus scan, malware has already been on their machine and exposing the user for days or even weeks. And I’m not talking about the home user, either; just witness the Department of Defense’s admission to a security breach back in March!

As Scott Wu and Joe Faulhaber at the Microsoft Malware Protection Center point out:

Of course many of these detections by MSS are the debris or aftermath after the exploit has already executed. By the time a user downloads and runs MSS to detect malware, the machine may have already been infected, if it was vulnerable to the exploit at the time.

Rather than rely on its single scan, Microsoft’s new tool advises its users to employ antivirus software as a sentinel for one’s system. However, even top-of-the-line security systems trigger an alert only when an attack is occurring or has taken place; it won’t keep out the hacker. What we really need is to establish a “zero vulnerability” standard for software, which starts with improved assessment of the structural quality of software applications and finding vulnerabilities before they are deployed.

By the way, remember how I said I tend to be a bit fanatical about the security of my PC? Just reading about malware made me worry again about my PC. So I downloaded MSS, ran it as I wrote this blog and found my PC to be free of malware and viruses…I just hope Microsoft did its due diligence when it developed MSS and paid close attention to its structural quality!

 

 

Look around you. Microsoft says that if you’re among a group of people working on a PC, at least one of you has a machine infected with malware.

Based on statistics gathered by its free scanning tool, Microsoft Safety Scanner, Microsoft reported last month that five-percent – one out of every 20 – is infected with malware with the average number of malware applications numbering 3.5 per infected machine. With this much malware out there, it’s little wonder we’re seeing such a high number of security breaches at major corporations.

But Microsoft’s figures could be drastically low or drastically high depending upon whom you believe.

CNN Money reported earlier this year, “Almost half of all personal computers in the U.S. are infected with malware -- but a new study shows that 83% of people think their PCs are clean.” Ed Bott in his Microsoft Report at ZDNet quickly refuted this figure. Bott said:

“That statement is an outright fabrication. It is not true. It is not even remotely accurate, based on objective data. The actual number varies, depending on where you are in the world, but for Windows users who have automatic updates turned on, the worldwide average is somewhere between 1% and 2%. In my opinion, if you practice the basics of online security, the likelihood that your Windows PC is infected by malware is a tiny fraction of 1%.”

So which is it? 1%? 5%? 50%? If one of the infected PCs is yours or is PC on your enterprise network, does it really matter what the correct percentage is?

Vanquishing Vulnerabilities

The fact of the matter is it doesn’t really matter what percentage of computers are infected by malware. The bigger concern should be what needs to be done about it.

For my own part, I tend to be a bit fanatical about the security of my PC. I run virus scans every night, never open an attachment from someone I don’t know and avoid the games on Facebook like the plague…at least, ever since one of my nightly scans showed that one of those games parked a Trojan on my system.

I am probably the exception to the rule. The average PC user is far too trusting. Most assume that the creators of their software wrote invulnerable applications and they are content in the belief that their PCs are malware free. They go on using their computers without concern for what they may be exposing and by the time they do run some form of virus scan, malware has already been on their machine and exposing the user for days or even weeks. And I’m not talking about the home user, either; just witness the Department of Defense’s admission to a security breach back in March!

As Scott Wu and Joe Faulhaber at the Microsoft Malware Protection Center point out:

“"Of course many of these detections by MSS are the debris or aftermath after the exploit has already executed. By the time a user downloads and runs MSS to detect malware, the machine may have already been infected, if it was vulnerable to the exploit at the time."

Rather than rely on its single scan, Microsoft’s new tool advises its users to employ antivirus software as a sentinel for one’s system. However, even top-of-the-line security systems trigger an alert only when an attack is occurring or has taken place; it won’t keep out the hacker. What we really need is to establish a “zero vulnerability” standard for software, which starts with improved assessment of the structural quality of software applications and finding vulnerabilities before they are deployed.

By the way, remember how I said I tend to be a bit fanatical about the security of my PC? Just reading about malware made me worry again about my PC. So I downloaded MSS, ran it as I wrote this blog and found my PC to be free of malware and viruses…I just hope Microsoft did its due diligence when it developed MSS and paid close attention to its structural quality!

Filed in: Software Quality
Get the Pulse Newsletter  Sign up for the latest Software Intelligence news Subscribe Now <>
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
In our 29-criteria evaluation of the static application security testing (SAST)  market, we identified the 10 most significant vendors — CAST, CA Veracode,  Checkmarx, IBM, Micro Focus, Parasoft, Rogue Wave Software, SiteLock,  SonarSource, and Synopsys — and researched, analyzed, and scored them. This  report shows how each measures up and helps security professionals make the  right choice. Forrester Wave: Static Application Security Testing, Q4 2017  Analyst Paper
This study by CAST reveals potential reasons for poor software quality that  puts businesses at risk, including clashes with management and little  understanding of system architecture. What Motivates Today’s Top Performing  Developers Survey
Jonathan Bloom Writer, Blogger & PR Consultant
Jonathan is an experienced writer with over 20 years writing about the Technology industry. Jon has written more than 750 journal and magazine articles, blogs and other materials that have been published throughout the U.S. and Canada. He has expertise in a wide range of subjects within the IT industry including software development, enterprise software, mobile, database, security, BI, SaaS/Cloud, Health Care IT and Sustainable Technology. In his free time, Jon enjoys attending sporting events, cooking, studying American history and listening to Bruce Springsteen music.
Load more reviews
Thank you for the review! Your review must be approved first
Rating
New code

You've already submitted a review for this item

|