Government // Enterprise Architecture
News
10/10/2011
06:44 PM
Connect Directly
Facebook
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Zero-Day Threats Exaggerated, Says Microsoft Report

Microsoft's semi-annual security report says that the threat from software vulnerabilities is small--and from zero-day attacks miniscule. IT should protect instead from phishing and other social engineering attacks.

The importance of software vulnerabilities, and of zero-day vulnerabilities in particular, is exaggerated in the public mind according to volume 11 of the Microsoft Security Intelligence Report.

The new volume is based on security telemetry gathered by Microsoft from systems the world over from January through June 2011. The most widespread and interesting source for the report is the Malicious Software Removal Tool (MSRT) that runs every month with Windows Update. From each of these, Microsoft gathers anonymous information about the system and the malware on it. The MSRT doesn't detect the vast majority of malware, but focuses on the most common variants. Another source of information is Microsoft's own security products. Focusing on the most common threats, Microsoft found that 27 malware "families" accounted for 83% of all malware detections.

The overwhelming characteristic of the threats was that they relied primarily on social engineering techniques to infect systems, generally tricking the user into clicking on something or using Autorun.

In the chart below, malware is seen as employing more than one attack technique (autorun, file infection, user intervention, etc.).

Microsoft Malware Statistics

The report found that by comparison, exploiting vulnerabilities was a fairly rare occurrence, with only 0.01% of attacks exploiting zero-day vulnerabilities. Zero-day vulnerabilities are those reported before an update can be issued.

Yet zero-day vulnerabilities garner headlines whenever they are revealed. They are frightening because users feel unprotected against them, even though in most cases there are mitigating techniques users can employ to block attacks or minimize their damage. Exploits of vulnerabilities that have already been patched--in some cases years ago--are much more common, although still just about 5%.

The point of Microsoft's analysis is to convince IT to prioritize their security efforts. Microsoft itself has made efforts along these lines to great effect. Windows 7, for instance, removed Autorun behavior that was widely exploited in earlier versions of Windows. In February, Microsoft fixed Windows XP and Windows Vista, too. As a result the number of successful Autorun exploits have steadily and substantially decreased.

Social engineering is another popular technique. The report notes that 50% of all phishing attacks targeted social networking sites--resulting in, for instance, Facebook clickjacking.

What can you do about social engineering? Experts disagree about the efficacy of training and education, but it's certainly one option. Another is to make sure your systems and applications are up-to-date and running the most recent versions. Internet Explorer 9, for example, is considerably more resistant to malware attack than any other browser, according to outside tests. Microsoft has launched the Web site yourbrowsermatters.org to spread this message.

Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Government Oct. 20, 2014
Energy and weather agencies are busting long-held barriers to analyzing big data. Can the feds now get other government agencies into the movement?
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.