New Microsoft Data Puts Zero-Day Threat Into Perspective

First, the good news from Microsoft's newest data on real-world Windows security incidents: Zero-day attacks are relatively rare. Now the bad news: Nintey-nine percent of all malware infections are due to organizations and users not applying security updates.

Microsoft's latest Security Intelligence Report (SIR), published yesterday, demonstrates that enterprises and users could be more responsible for attacks on their machines than you'd think: Less than 1 percent of all Windows attacks worldwide in the first half of this year used zero-day exploits. SIR version 11 is based on data from 600 million Windows machines in more than 100 countries and regions, gathered via Microsoft's Malicious Software Removal Tool, Hotmail scans, Microsoft Security Essentials data, and Bing Web page scans.

Security experts are split over whether this means that zero-day attacks are overblown. Marcus Carey, a security researcher with Rapid7, says it's another indication that zero-day threats are "overrated."

"We're getting back to the old-school security days. People issue patches, and you patch your stuff, plain and simple," Carey says. Attackers, meanwhile, know that people aren't patching, so they use malware exploiting known vulnerabilities, as well as sure-thing social engineering tactics, to infect users, he says. "That's what the real risk to organizations are, instead of zero-days," he says.

But Chris Wysopal, CTO at Veracode, says the new Microsoft data doesn't mean you should dismiss the zero-day threat: It's more of a "noise problem," he says. "There are 100 times as many attacks happening with known vulnerabilities, so it's drowning out the zero-days," he says.

Zero-days, he adds, cannot be overemphasized. "They are the natural evolution of a vulnerability," Wysopal says. If Windows machines were auto-updated and patched, the number of infected systems attacked with known bugs would drop dramatically -- and the percentage of zero-day ones would rise, he says. "The overall number of compromised systems would go down," he says.

Jeff Jones, director of Microsoft's Trustworthy Computing Group, says the data puts the zero-day threat into context and should alleviate some of the panic surrounding these types of attacks. "When you're looking at this level of volume, 'context' is the word that comes to mind for me," Jones says. "By no means ignore zero-days. What we're saying is you're an IT department with limited resources -- we want you to be enabled with the data so you can [properly prioritize and assess risk]."

So what does this mean for targeted attacks, such as those perpetrated by so-called advanced persistent threat (APT) actors? They're still out there, but not infecting as many machines as the more mainstream attacks, experts say.

"The fact that there are zero-days that enable targeted attacks ... against high-value targets doesn't mean the other stuff goes away," Microsoft's Jones says.

Rapid7's Carey says the less than 1 percent figure for zero-day attacks indicates that some organizations could be falsely placing the blame on unknown threats as the source of their breaches. "If only less than 1 percent are zero-days, a bunch of people aren't being forthright ... 99 percent are not zero-days," he says. "Some define a zero-day as something their AV didn't see," for example, but it still could have been a known vulnerability, he says.

In the big RSA Security data breach in March, the vulnerability used was a Flash object in an Excel file -- and it wasn't a zero-day, Veracode's Wysopal says. "It was known for a day or two," but hadn't been patched, he says. "It shows how attackers try to attack really quickly after they find out about [a vulnerability]."

Overall, Microsoft found that about 45 percent of malware was spread via social engineering, or where user interaction was required to infect the machine: clicking on a URL or opening an infected file, for example. More than 25 percent spread via AutoRun using a USB; 17 percent using AutoRun via a network; and 4 percent via file infector/viruses.

Rogue antivirus is still big, as are email scams, phishing, and repackaged malware on sites that contain legitimate software. Phishing attacks aimed at social networking sites hit 84 percent in April, representing about half of all phishing attempts that month, according to Microsoft's findings.

Some 27 of the most severe threats accounted for 83 percent of the volume of malware Microsoft's tools cleaned up during the January-to-June 2011 period.

"The AutoRun attacks were a little higher than I expected," Jones says. "This is one that's usually there in addition to other vectors."

Many of the infections exploited older bugs. Less than half of the attacks in the first half of this year targeted vulnerabilities that had been disclosed within the previous year. The majority of them went after bugs that had patches available for more than a year. "This was a very actionable thing for companies to take care of and shut down," he says.

Jones says aside from applying updates as soon as possible, moving to newer Windows platforms and software with the latest mitigations can significantly reduce the attack surface.

A full copy of Microsoft's SIRv11 is available here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.