Zero-Day Threats Exaggerated, Says Microsoft Report - InformationWeek
Government // Enterprise Architecture
06:44 PM
Connect Directly
Building Security for the IoT
Nov 09, 2017
In this webcast, experts discuss the most effective approaches to securing Internet-enabled system ...Read More>>

Zero-Day Threats Exaggerated, Says Microsoft Report

Microsoft's semi-annual security report says that the threat from software vulnerabilities is small--and from zero-day attacks miniscule. IT should protect instead from phishing and other social engineering attacks.

The importance of software vulnerabilities, and of zero-day vulnerabilities in particular, is exaggerated in the public mind according to volume 11 of the Microsoft Security Intelligence Report.

The new volume is based on security telemetry gathered by Microsoft from systems the world over from January through June 2011. The most widespread and interesting source for the report is the Malicious Software Removal Tool (MSRT) that runs every month with Windows Update. From each of these, Microsoft gathers anonymous information about the system and the malware on it. The MSRT doesn't detect the vast majority of malware, but focuses on the most common variants. Another source of information is Microsoft's own security products. Focusing on the most common threats, Microsoft found that 27 malware "families" accounted for 83% of all malware detections.

The overwhelming characteristic of the threats was that they relied primarily on social engineering techniques to infect systems, generally tricking the user into clicking on something or using Autorun.

In the chart below, malware is seen as employing more than one attack technique (autorun, file infection, user intervention, etc.).

Microsoft Malware Statistics

The report found that by comparison, exploiting vulnerabilities was a fairly rare occurrence, with only 0.01% of attacks exploiting zero-day vulnerabilities. Zero-day vulnerabilities are those reported before an update can be issued.

Yet zero-day vulnerabilities garner headlines whenever they are revealed. They are frightening because users feel unprotected against them, even though in most cases there are mitigating techniques users can employ to block attacks or minimize their damage. Exploits of vulnerabilities that have already been patched--in some cases years ago--are much more common, although still just about 5%.

The point of Microsoft's analysis is to convince IT to prioritize their security efforts. Microsoft itself has made efforts along these lines to great effect. Windows 7, for instance, removed Autorun behavior that was widely exploited in earlier versions of Windows. In February, Microsoft fixed Windows XP and Windows Vista, too. As a result the number of successful Autorun exploits have steadily and substantially decreased.

Social engineering is another popular technique. The report notes that 50% of all phishing attacks targeted social networking sites--resulting in, for instance, Facebook clickjacking.

What can you do about social engineering? Experts disagree about the efficacy of training and education, but it's certainly one option. Another is to make sure your systems and applications are up-to-date and running the most recent versions. Internet Explorer 9, for example, is considerably more resistant to malware attack than any other browser, according to outside tests. Microsoft has launched the Web site to spread this message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll