Zero-Days Account for Less Than 1 Percent of Attacks: Microsoft

A Microsoft report does not dismiss zero-day attacks but points out that a majority of attacks are social engineering techniques or exploits of known vulnerabilities.

Less than 1 percent of exploits discovered in the first half of 2011 took advantage of zero-day vulnerabilities, according to a report from Microsoft's Trustworthy Computing group.

Social engineering, brute-force attacks and auto-run threats continue to make up the bulk of attacks enterprises are seeing on their systems and networks, according to the latest Security Intelligence Report (SIR) released Oct. 11 by the Trustworthy Computing group at Microsoft. The six-month-long research was also presented at the RSA Conference Europe on the same day by Adrienne Hall, general manager of Trustworthy Computing.

Microsoft is not trying to give the impression that zero-day attacks aren't a problem, or that they don't need to be dealt with, Jeff Jones, director of security with the Trustworthy Computing group, told eWEEK. Rather, the report is intended to show that most threats are preventable and should help IT managers better assess risk and focus on how to educate users about defenses.

"We're not saying don't worry about zero-days, but they need to be put into context," Jones said.

Exploits based on zero-day vulnerabilities accounted for just 0.12 percent of all exploit activity during the first half of 2011, with a peak in 0.37 percent in June, according to Microsoft researchers. The report found that social engineering attacks, such as tricking users into doing something dangerous, are far more prevalent and have more risks for the enterprise. Microsoft researchers found that 44.8 percent of all malware was spread by some form of "user interaction" and 26 percent abused the Windows "Auto-Run" feature.

The report suggested that there are plenty of vectors to distribute malware, attack networks and steal information. There is "no single technique," according to Jones. Despite the fact that Microsoft has already released a patch to turn off Auto-Run on Windows systems, attacks exploiting the feature remain prevalent, according to the report.

Jones said Auto-Run was intended to make things more efficient, but has resulted in becoming a prime attack vector.

A significant majority of the zero-days that were exploited in the first half of 2011 were related to two vulnerabilities in Adobe's Flash Player. Adobe patched the first flaw (CVE-2011-0611) within a week of an exploit being seen in the wild. The second flaw (CVE-2011-2110) did not gain much traction among criminals until a patch had already been released. Software companies have become more responsive to zero-days and are much more aggressive about patching those issues, according to Microsoft.

Other exploits targeted vulnerabilities in the Oracle Java Runtime Environment, Java Virtual Machine and Java SE in the Java Development Kit2, the report found. Attackers are more likely to go after known vulnerabilities that administrators haven't bothered to patch rather than going through the effort of finding and exploiting unknown security flaws, Jones said.

Zero-day attacks generally get a lot of attention and are scarier for consumers and IT professionals, Jones said. Microsoft wanted to clarify what the scope of the threat is, which is why the latest SIR focused on zero-day vulnerabilities and attacks exploiting them.

SIR will "stop management from getting panicky" about zero-day threats because administrators who work with security "day-to-day" can use the information to show senior executives what threats are most prevalent against the enterprise, according to Jones.

"The risk associated with zero-day exploits is real and should be represented in organizations' risk management plans," Tim Rains, director of product management for Trust Worthy Computing Communications at Microsoft, wrote in a blog.

The report is very clear about the fact that organizations running newer versions of software, and not just Microsoft products, are always better protected, Jones said. It is an "obvious call to action" to get organizations to take advantage of newer features and better protection by keeping up-to-date on software version numbers and even more so for Web browsers, he added.

Previous SIRs from Microsoft focused online scams and scareware, botnets and the use of personal computers to send spam and other malware.