New Microsoft Data Puts Zero-Day Threat Into Perspective

Report on infected Windows machines worldwide also highlights slack patching practices

First, the good news from Microsofts newest data on real-world Windows security incidents: Zero-day attacks are relatively rare. Now the bad news: Nintey-nine percent of all malware infections are due to organizations and users not applying security updates.
Microsofts latest Security Intelligence Report (SIR), published yesterday, demonstrates that enterprises and users could be more responsible for attacks on their machines than youd think: Less than 1 percent of all Windows attacks worldwide in the first half of this year used zero-day exploits. SIR version 11 is based on data from 600 million Windows machines in more than 100 countries and regions, gathered via Microsofts Malicious Software Removal Tool, Hotmail scans, Microsoft Security Essentials data, and Bing Web page scans.
Security experts are split over whether this means that zero-day attacks are overblown. Marcus Carey, a security researcher with Rapid7, says its another indication that zero-day threats are overrated.
Were getting back to the old-school security days. People issue patches, and you patch your stuff, plain and simple, Carey says. Attackers, meanwhile, know that people arent patching, so they use malware exploiting known vulnerabilities, as well as sure-thing social engineering tactics, to infect users, he says. Thats what the real risk to organizations are, instead of zero-days, he says.
But Chris Wysopal, CTO at Veracode, says the new Microsoft data doesnt mean you should dismiss the zero-day threat: Its more of a noise problem, he says. There are 100 times as many attacks happening with known vulnerabilities, so its drowning out the zero-days, he says.
Zero-days, he adds, cannot be overemphasized. They are the natural evolution of a vulnerability, Wysopal says. If Windows machines were auto-updated and patched, the number of infected systems attacked with known bugs would drop dramatically -- and the percentage of zero-day ones would rise, he says. The overall number of compromised systems would go down, he says.
Jeff Jones, director of Microsofts Trustworthy Computing Group, says the data puts the zero-day threat into context and should alleviate some of the panic surrounding these types of attacks. When youre looking at this level of volume, context is the word that comes to mind for me, Jones says. By no means ignore zero-days. What were saying is youre an IT department with limited resources -- we want you to be enabled with the data so you can [properly prioritize and assess risk].
So what does this mean for targeted attacks, such as those perpetrated by so-called advanced persistent threat (APT) actors? Theyre still out there, but not infecting as many machines as the more mainstream attacks, experts say.
The fact that there are zero-days that enable targeted attacks ... against high-value targets doesnt mean the other stuff goes away, Microsofts Jones says.
Rapid7s Carey says the less than 1 percent figure for zero-day attacks indicates that some organizations could be falsely placing the blame on unknown threats as the source of their breaches. If only less than 1 percent are zero-days, a bunch of people arent being forthright ... 99 percent are not zero-days, he says. Some define a zero-day as something their AV didnt see, for example, but it still could have been a known vulnerability, he says.
In the big RSA Security data breach in March, the vulnerability used was a Flash object in an Excel file -- and it wasnt a zero-day, Veracodes Wysopal says. It was known for a day or two, but hadnt been patched, he says. It shows how attackers try to attack really quickly after they find out about [a vulnerability].
Overall, Microsoft found that about 45 percent of malware was spread via social engineering, or where user interaction was required to infect the machine: clicking on a URL or opening an infected file, for example. More than 25 percent spread via AutoRun using a USB; 17 percent using AutoRun via a network; and 4 percent via file infector/viruses.
Rogue antivirus is still big, as are email scams, phishing, and repackaged malware on sites that contain legitimate software. Phishing attacks aimed at social networking sites hit 84 percent in April, representing about half of all phishing attempts that month, according to Microsofts findings.
Some 27 of the most severe threats accounted for 83 percent of the volume of malware Microsofts tools cleaned up during the January-to-June 2011 period.
The AutoRun attacks were a little higher than I expected, Jones says. This is one thats usually there in addition to other vectors.
Many of the infections exploited older bugs. Less than half of the attacks in the first half of this year targeted vulnerabilities that had been disclosed within the previous year. The majority of them went after bugs that had patches available for more than a year. This was a very actionable thing for companies to take care of and shut down, he says.
Jones says aside from applying updates as soon as possible, moving to newer Windows platforms and software with the latest mitigations can significantly reduce the attack surface.
A full copy of Microsofts SIRv11 is available
here
for download.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
New Microsoft Data Puts Zero-Day Threat Into Perspective