Look around you. Microsoft says that if you’re among a group of people working on a PC, at least one of you has a machine infected with malware.
Based on statistics gathered by its free scanning tool, Microsoft Safety Scanner, Microsoft reported last month that 5% of computers – one out of every 20 – are infected with malware. The average number of malware applications on each infected machine? Nearly 3.5. With this much malware out there, it’s little wonder we’re seeing such a high number of security breaches at major corporations.
But Microsoft’s figures could be drastically low or drastically high depending upon whom you believe.
CNN Money reported earlier this year:
Almost half of all personal computers in the U.S. are infected with malware -- but a new study shows that 83% of people think their PCs are clean.
Ed Bott, in his Microsoft Report at ZDNet, quickly refuted this figure. Bott said:
That statement is an outright fabrication. It is not true. It is not even remotely accurate, based on objective data. The actual number varies, depending on where you are in the world, but for Windows users who have automatic updates turned on, the worldwide average is somewhere between 1% and 2%. In my opinion, if you practice the basics of online security, the likelihood that your Windows PC is infected by malware is a tiny fraction of 1%.
So which is it? 1%? 5%? 50%? If one of the infected PCs is yours or is PC on your enterprise network, does it really matter what the correct percentage is?
The fact of the matter is that the percentage of computers infected by malware doesn’t really matter. The bigger concern should be what needs to be done about it.
For my own part, I tend to be a bit fanatical about the security of my PC. I run virus scans every night, never open an attachment from someone I don’t know and avoid the games on Facebook like the plague…at least, ever since one of my nightly scans showed that one of those games parked a Trojan on my system.
I am probably the exception to the rule. The average PC user is far too trusting. Most assume that the creators of their software wrote invulnerable applications and they are content in the belief that their PCs are malware-free. They go on using their computers without concern for what they may be exposing and, by the time they do run some form of virus scan, malware has already been on their machine and exposing the user for days or even weeks. And I’m not talking about the home user, either; just witness the Department of Defense’s admission to a security breach back in March!
As Scott Wu and Joe Faulhaber at the Microsoft Malware Protection Center point out:
Of course many of these detections by MSS are the debris or aftermath after the exploit has already executed. By the time a user downloads and runs MSS to detect malware, the machine may have already been infected, if it was vulnerable to the exploit at the time.
Rather than rely on its single scan, Microsoft’s new tool advises its users to employ antivirus software as a sentinel for one’s system. However, even top-of-the-line security systems trigger an alert only when an attack is occurring or has taken place; it won’t keep out the hacker. What we really need is to establish a “zero vulnerability” standard for software, which starts with improved assessment of the structural quality of software applications and finding vulnerabilities before they are deployed.
By the way, remember how I said I tend to be a bit fanatical about the security of my PC? Just reading about malware made me worry again about my PC. So I downloaded MSS, ran it as I wrote this blog and found my PC to be free of malware and viruses…I just hope Microsoft did its due diligence when it developed MSS and paid close attention to its structural quality!