Zero day threats are overstated

  • Article

Earlier this week, Microsoft released its 11th version of the Security Intelligence Report.  In the report, the headline story was that fears of zero-day malware threats are overblown.  Yes, they are a problem but they comprise less than 1% of all vulnerabilities that infect computers. The rest are exploits for which patches have existed for quite some time.

eWeek picked up the story, here are some excerpts:

A Microsoft report does not dismiss zero-day attacks but points out that a majority of attacks are social engineering techniques or exploits of known vulnerabilities.

Less than 1 percent of exploits discovered in the first half of 2011 took advantage of zero-day vulnerabilities, according to a report from Microsoft's Trustworthy Computing group.

Social engineering, brute-force attacks and auto-run threats continue to make up the bulk of attacks enterprises are seeing on their systems and networks, according to the latest Security Intelligence Report (SIR) released Oct. 11 by the Trustworthy Computing group at Microsoft. The six-month-long research was also presented at the RSA Conference Europe on the same day by Adrienne Hall, general manager of Trustworthy Computing.

Microsoft is not trying to give the impression that zero-day attacks aren't a problem, or that they don't need to be dealt with, Jeff Jones, director of security with the Trustworthy Computing group, told eWEEK. Rather, the report is intended to show that most threats are preventable and should help IT managers better assess risk and focus on how to educate users about defenses.

"We're not saying don't worry about zero-days, but they need to be put into context," Jones said.

Exploits based on zero-day vulnerabilities accounted for just 0.12 percent of all exploit activity during the first half of 2011, with a peak in 0.37 percent in June, according to Microsoft researchers. The report found that social engineering attacks, such as tricking users into doing something dangerous, are far more prevalent and have more risks for the enterprise. Microsoft researchers found that 44.8 percent of all malware was spread by some form of "user interaction" and 26 percent abused the Windows "Auto-Run" feature.

The report suggested that there are plenty of vectors to distribute malware, attack networks and steal information. There is "no single technique," according to Jones. Despite the fact that Microsoft has already released a patch to turn off Auto-Run on Windows systems, attacks exploiting the feature remain prevalent, according to the report.

Zero-day attacks generally get a lot of attention and are scarier for consumers and IT professionals, Jones said. Microsoft wanted to clarify what the scope of the threat is, which is why the latest SIR focused on zero-day vulnerabilities and attacks exploiting them.

SIR will "stop management from getting panicky" about zero-day threats because administrators who work with security "day-to-day" can use the information to show senior executives what threats are most prevalent against the enterprise, according to Jones.

"The risk associated with zero-day exploits is real and should be represented in organizations' risk management plans," Tim Rains, director of product management for Trust Worthy Computing Communications at Microsoft, wrote in a blog.

The report is very clear about the fact that organizations running newer versions of software, and not just Microsoft products, are always better protected, Jones said. It is an "obvious call to action" to get organizations to take advantage of newer features and better protection by keeping up-to-date on software version numbers and even more so for Web browsers, he added.

This agrees with what I have been saying for a long time now – keep your versions of your software as up-to-date as you can.  In fact, it goes hand in hand with what I wrote yesterday when I said that nearly 1/4 of Internet users are still using older browsers.

Yes, zero days are scary, but they are preventable.  If you keep up-to-date, then you don’t have as much to worry about them other than the possibility of some Advanced Persistent Threats.

A few months ago I would have agreed that being up-to-date is the most important thing that users can do for their computers.  After presenting at Virus Bulletin last week, I disagree and will prioritize differently (this is in my opinion).  In order of importance, here are the three most important things computer users need to be aware of:

  1. The Internet is fun but only deal with trustworthy sources.

  2. Keep your software up to date.  This is something you will always have to do for as long as you own a computer.

  3. Learn to recognize scams.

I’ll go into the details of why I rank things that way in a separate post.