Microsoft’s latest Security Intelligence Report for the second half of 2008 is now available. The report provides some perspective on global trends in software vulnerabilities and malicious software. Microsoft of course takes the time to point out that malicious software infections differ based on the version of Windows; and Vista was less infected than XP.

The main points start with the prevalence of rogue security software, which has increased over the past three periods. This is the annoying scareware product that tells you that you’ve been infected, and then need to buy a specific product to get rid of the infection. In reality, the product is usually either useless, or has been specifically created to only get rid of an infection that the purveyors of the software created in the first place.

The report also noted a big increase in document file format exploits, which use a common file format as a way to transmit an exploit. While most e-mail programs can block different types of files based on the extension, they do permit transmission of common file formats such as a Word file or a .PDF file, and this is why Trojan attacks based on these common files have become more common. The report says that the most frequently-exploited vulnerabilities were also some of the oldest, and over 90 percent of the document file format attacks exploited a vulnerability in Microsoft Office, even though a fix has been available for the vulnerability for more than two years. In most cases, victims did not have up-to-date service packs or security updates applied. Use of the .PDF format as a means of attack also rose dramatically during the second half of the year. As with the Office-based attacks, the Adobe vulnerabilities also have security updates available, and current versions do not contain the vulnerability.

Also of interest to email managers is the fact pointed out in the report that over 97 percent of email messages are either phishing attacks, spam, or have a malicious attachment.