Zero-Day Attacks Loom As Biggest Security Threats

Zero-day threats are on the minds of IT pros now more than ever, most likely because this year saw a sharp increase in exploits unleashed before the vulnerabilities they targeted could be patched. In fact, 67% of the 200 CIOs, chief security officers, IT managers, and network administrators PatchLink surveyed for its latest research report, released Wednesday, expect even more zero-day threats in 2007. And nearly one-third say that an anticipated increase in zero-day attacks is the primary issue driving their security spending in the coming year.

The SANS Institute makes a similar observation about zero-day attacks, stating in a report of its own that this year it's seen a "significant rise in attacks that take advantage of zero-day vulnerabilities, leaving a user or system unable to defend against the attack since no patch is available." The focus of most of these attacks is Microsoft products, in particular Internet Explorer.

"The reality is that the zero-day attacks are pushing the envelope on how fast software developers issue patches," says Chris Andrew, PatchLink's VP of security technologies. "And most software users lack an infrastructure to rapidly deploy a workaround or patch."

Windows has the dubious distinction of being the target of this year's first zero-day attack, when the Windows Metafile flaw surfaced in early January. This is consistent with PatchLink's findings that 97% of its survey respondents feel Windows is still the operating system most prone to attack and 88% say their main security concern is protecting Internet Explorer.

That's not to say that Microsoft will always be the worst offender when it comes to security vulnerabilities. PatchLink found that more than half of its survey respondents are seeing an increase in non-Microsoft vulnerabilities. More than half also believe the new Vista version of Windows will be more secure than Windows XP, although the biggest surprise here is that more people don't feel this way, given all of the effort that Microsoft has made both to improve security features in Vista and implement more secure practices during Vista's development. Of course, organizations still have to implement Vista before they can experience any of the new operating system's benefits, and 35% of respondents to PatchLink's survey say they won't switch to Vista until sometime after 2007.

At this summer's Black Hat security conference, there were several sessions devoted to Vista security, both extolling its virtues and pointing out its flaws. "There are already people sharpening the knife to be the first in there to attack Vista," Andrew says.

Most organizations (89%) say they're more secure now than a year ago. Still, the majority (66%) are planning to increase their 2007 spending on security. In addition to zero-day attacks, concerns over regulatory compliance requirements and increasingly mobile workforces are the two biggest drivers of security spending.