A Microsoft report does not dismiss zero-day attacks but points out that a majority of attacks are social engineering techniques or exploits of known vulnerabilities.
than 1 percent of exploits discovered in the first half of 2011 took advantage
of zero-day vulnerabilities, according to a report from Microsoft's Trustworthy
engineering, brute-force attacks and auto-run threats continue to make up the
bulk of attacks enterprises are seeing on their systems and networks, according
to the latest Security Intelligence Report (SIR) released Oct. 11 by the
Trustworthy Computing group at Microsoft. The six-month-long research was also
presented at the RSA Conference Europe on the same day by Adrienne Hall,
general manager of Trustworthy Computing.
is not trying to give the impression that zero-day attacks aren't a problem, or
that they don't need to be dealt with, Jeff Jones, director of security with
the Trustworthy Computing group, told eWEEK
Rather, the report is intended to show that most threats are preventable and
should help IT managers better assess risk and focus on how to educate users
not saying don't worry about zero-days, but they need to be put into
context," Jones said.
based on zero-day vulnerabilities accounted for just 0.12 percent of all
exploit activity during the first half of 2011, with a peak in 0.37 percent in
June, according to Microsoft researchers. The report found that social
engineering attacks, such as tricking users into doing something dangerous, are
far more prevalent and have more risks for the enterprise. Microsoft
researchers found that 44.8 percent of all malware was spread by some form of
"user interaction" and 26 percent abused the Windows
report suggested that there are plenty of vectors to distribute malware, attack
networks and steal information. There is "no single technique,"
according to Jones. Despite the fact that Microsoft has already released a
patch to turn off Auto-Run on Windows systems, attacks exploiting the feature
remain prevalent, according to the report.
said Auto-Run was intended to make things more efficient, but has resulted in
becoming a prime attack vector.
significant majority of the zero-days that were exploited in the first half of
2011 were related to two vulnerabilities in Adobe's Flash Player. Adobe patched
the first flaw (CVE-2011-0611) within a week of an exploit being seen in the
wild. The second flaw (CVE-2011-2110) did not gain much traction among
criminals until a patch had already been released. Software companies have
become more responsive to zero-days and are much more aggressive about patching
those issues, according to Microsoft.
exploits targeted vulnerabilities in the Oracle Java Runtime Environment, Java
Virtual Machine and Java SE in the Java Development Kit2, the report found.
Attackers are more likely to go after known vulnerabilities that administrators
haven't bothered to patch rather than going through the effort of finding and
exploiting unknown security flaws, Jones said.
attacks generally get a lot of attention and are scarier for consumers and IT
professionals, Jones said. Microsoft wanted to clarify what the scope of the
threat is, which is why the latest SIR focused on zero-day vulnerabilities and
attacks exploiting them.
will "stop management from getting panicky" about zero-day threats
because administrators who work with security "day-to-day" can use
the information to show senior executives what threats are most prevalent
against the enterprise, according to Jones.
risk associated with zero-day exploits is real and should be represented in
organizations' risk management plans," Tim Rains, director of product
management for Trust Worthy Computing Communications at Microsoft, wrote in a
report is very clear about the fact that organizations running newer versions
of software, and not just Microsoft products, are always better protected,
Jones said. It is an "obvious call to action" to get organizations to
take advantage of newer features and better protection by keeping up-to-date on
software version numbers and even more so for Web browsers, he added.
SIRs from Microsoft focused online scams and scareware, botnets and the use of
personal computers to send spam and other malware.