Software applications, and in particular web browsers, are responsible for nine out of 10 published vulnerabilities - more than operating systems according to Microsoft.
Microsoft's Security Intelligence Report for the first half of 2008 says OS vulnerabilities are now stable at between six and eight percent of those reported, a level they have been at since the first half of 2006. Vulnerabilities in Windows XP and Vista have shown a modest decrease in 2008, continuing a similar trend over the same period.
But the report paints a more complex picture in terms of which platforms are the ones most likely to run vulnerable applications. Windows Vista scores well, with Microsoft-based software accounting for only six percent of vulnerabilities on that platform, with none of the top ten browser-based holes hitting the OS.
Over the period, the biggest Vista-based software vulnerabilities appeared to be in two ActiveX controls installed only in China, which would seem to confirm the relative obscurity of serious issues on the platform.
Windows XP, by contrast, is still Microsoft's biggest headache, with 42 percent of all app holes on that platform coming from Microsoft's own software.
Using the number of PCs cleaned per 1,000 executions of Microsoft's own Malicious Software Removal Tools (MSRT), Windows Vista SP1 scored 4.5, while the different updates of XP scored between 9.2 and 33.8. All of this confirms what has been well established in the past - Windows XP and its applications are still relatively vulnerable, while the newer Vista and its applications do considerably better.
Across the industry as a whole, software vulnerabilities classified by the industry standard Common Vulnerability Scoring System v2 (CVSSv2) as 'severe' now account for 7.3 percent of those made public, with a startling 41 percent classified as 'high'. More encouragingly, Microsoft reports, only 10.4 percent of holes had publically-available exploit code.
In truth, it is extremely hard to gauge from the report how Windows is stacking up against rival platforms such as Apple or Linux in terms of OS and app holes, but the overall message to take away appears to be that the OS is not the main worry. The big concern now is browsers such as Firefox and Internet Explorer on all platforms, including Windows.
Analysing these by locale showed that China was the most likely place for browser-based exploits to hit, with 46.6 percent of them happening in that country across all platforms. The US came second on 23 percent, Russia third with seven percent and the UK some way back with 2.4 percent.