Government // Enterprise Architecture
06:44 PM
Connect Directly
Repost This

Zero-Day Threats Exaggerated, Says Microsoft Report

Microsoft's semi-annual security report says that the threat from software vulnerabilities is small--and from zero-day attacks miniscule. IT should protect instead from phishing and other social engineering attacks.

The importance of software vulnerabilities, and of zero-day vulnerabilities in particular, is exaggerated in the public mind according to volume 11 of the Microsoft Security Intelligence Report.

The new volume is based on security telemetry gathered by Microsoft from systems the world over from January through June 2011. The most widespread and interesting source for the report is the Malicious Software Removal Tool (MSRT) that runs every month with Windows Update. From each of these, Microsoft gathers anonymous information about the system and the malware on it. The MSRT doesn't detect the vast majority of malware, but focuses on the most common variants. Another source of information is Microsoft's own security products. Focusing on the most common threats, Microsoft found that 27 malware "families" accounted for 83% of all malware detections.

The overwhelming characteristic of the threats was that they relied primarily on social engineering techniques to infect systems, generally tricking the user into clicking on something or using Autorun.

In the chart below, malware is seen as employing more than one attack technique (autorun, file infection, user intervention, etc.).

Microsoft Malware Statistics

The report found that by comparison, exploiting vulnerabilities was a fairly rare occurrence, with only 0.01% of attacks exploiting zero-day vulnerabilities. Zero-day vulnerabilities are those reported before an update can be issued.

Yet zero-day vulnerabilities garner headlines whenever they are revealed. They are frightening because users feel unprotected against them, even though in most cases there are mitigating techniques users can employ to block attacks or minimize their damage. Exploits of vulnerabilities that have already been patched--in some cases years ago--are much more common, although still just about 5%.

The point of Microsoft's analysis is to convince IT to prioritize their security efforts. Microsoft itself has made efforts along these lines to great effect. Windows 7, for instance, removed Autorun behavior that was widely exploited in earlier versions of Windows. In February, Microsoft fixed Windows XP and Windows Vista, too. As a result the number of successful Autorun exploits have steadily and substantially decreased.

Social engineering is another popular technique. The report notes that 50% of all phishing attacks targeted social networking sites--resulting in, for instance, Facebook clickjacking.

What can you do about social engineering? Experts disagree about the efficacy of training and education, but it's certainly one option. Another is to make sure your systems and applications are up-to-date and running the most recent versions. Internet Explorer 9, for example, is considerably more resistant to malware attack than any other browser, according to outside tests. Microsoft has launched the Web site to spread this message.

Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.