The importance of software vulnerabilities, and of zero-day vulnerabilities in particular, is exaggerated in the public mind according to volume 11 of the Microsoft Security Intelligence Report.
The new volume is based on security telemetry gathered by Microsoft from systems the world over from January through June 2011. The most widespread and interesting source for the report is the Malicious Software Removal Tool (MSRT) that runs every month with Windows Update. From each of these, Microsoft gathers anonymous information about the system and the malware on it. The MSRT doesn't detect the vast majority of malware, but focuses on the most common variants. Another source of information is Microsoft's own security products. Focusing on the most common threats, Microsoft found that 27 malware "families" accounted for 83% of all malware detections.
The overwhelming characteristic of the threats was that they relied primarily on social engineering techniques to infect systems, generally tricking the user into clicking on something or using Autorun.
In the chart below, malware is seen as employing more than one attack technique (autorun, file infection, user intervention, etc.).
The report found that by comparison, exploiting vulnerabilities was a fairly rare occurrence, with only 0.01% of attacks exploiting zero-day vulnerabilities. Zero-day vulnerabilities are those reported before an update can be issued.
Yet zero-day vulnerabilities garner headlines whenever they are revealed. They are frightening because users feel unprotected against them, even though in most cases there are mitigating techniques users can employ to block attacks or minimize their damage. Exploits of vulnerabilities that have already been patched--in some cases years ago--are much more common, although still just about 5%.
The point of Microsoft's analysis is to convince IT to prioritize their security efforts. Microsoft itself has made efforts along these lines to great effect. Windows 7, for instance, removed Autorun behavior that was widely exploited in earlier versions of Windows. In February, Microsoft fixed Windows XP and Windows Vista, too. As a result the number of successful Autorun exploits have steadily and substantially decreased.
Social engineering is another popular technique. The report notes that 50% of all phishing attacks targeted social networking sites--resulting in, for instance, Facebook clickjacking.
What can you do about social engineering? Experts disagree about the efficacy of training and education, but it's certainly one option. Another is to make sure your systems and applications are up-to-date and running the most recent versions. Internet Explorer 9, for example, is considerably more resistant to malware attack than any other browser, according to outside tests. Microsoft has launched the Web site yourbrowsermatters.org to spread this message.