In its recent Q3 2012 Threat Evolution, Kaspersky reported on the Top Ten Threats that it saw during the previous three months. Here they are with the percentage of users on whose computer the vulnerability was detected:

1. 35% - Oracle Java
2. 22% – Oracle Java again
3. 19% – Adobe Flash Player
4. 19% – Adobe Flash Player again
5. 15% – Adobe Acrobat/Reader
6. 14% – Apple Quicktime
7. 12% – Apple iTunes
8. 11% – Winamp
9. 11% – Adobe Shockwave
10. 10% – Adobe Flash Player yet again

Microsoft products no longer feature among the Top 10 products with vulnerabilities. This is because the automatic updates mechanism has now been well developed in recent versions of Windows OS.

The big story here is that Microsoft is no longer part of the top ten list for vulnerabilities. For years Microsoft’s products have been the main target but that has shifted over time as criminals have moved to other targets.

I think that this is the result of multiple factors:

1. Microsoft’s Secure Windows Initiative
   
   All new code developed at Microsoft has to go through a security review. We have to model possible threats and how these are mitigated (e.g., tampering, information disclosure, unauthorized access, etc). This forces developers to think about security.
   
   This isn’t perfect, security holes will be found (such as this story where hackers claim that they have defeated Windows 8’s security measures) but it does force hackers to go to more effort and reduces the window of insecurity.
   
   
2. Automatic updates
   
   As the note from Kaspersky explains, Microsoft has built in automatic updates to its software processes. When software updates, vulnerabilities are closed and the window for attack shrinks. Not all users have automatic updates, but as users move from OS’es that don’t (Windows XP) to ones that do (Windows 7 and Windows 8), it results in better security.
   
   
3. A change in the market place
   
   While there are some things that Microsoft has done that have helped, the market has also shifted. Hackers and malware writers have moved onto developing for other platforms because that’s where the user base has shifted to (this is not a move from Windows to other devices but a move from Windows + other devices). Thus, Microsoft products have dropped from the top ten list in part because the criminals don’t find it as enticing as it once was.

Still, as someone who works for Microsoft, it’s nice to see a validation of some of our efforts to develop secure software.