Microsoft says zero-day exploits are not a major threat

SOFTWARE GIANT Microsoft has analyzed the various methods of malware propagation used by attackers during the first six months of 2011 and concluded that zero-day exploits are the least of its concerns.

"As part of SIRv11 [Microsoft Security Intelligence Report, volume 11], we conducted research to quantify exactly how pervasive the threat posed by zero-day attacks was in the first half of this year," said Tim Rains, director of product management with Microsoft's Trustworthy Computing Group.

"We found that none of the most prevalent malware threats used zero day exploits to propagate in the first half of 2011, and less than one percent of attacks using exploits, leveraged zero-day vulnerabilities," he added.

This comes as no surprise as zero-day exploits are mostly used in targeted attacks against particular organizations or small groups of people. As such, their numbers pale in comparison to those of mass drive-by downloads and other endemic forms of malware.

Statistics gathered by security companies and researchers from live exploit toolkit installations this year revealed that such tools are targeting mostly old vulnerabilities. This is also reflected in Microsoft's findings, according to which, 2.4 per cent of analyzed attacks exploited already patched flaws and 3.2 per cent targeted vulnerabilities that had been fixed for over a year.

According to the report, social engineering remains the most popular malware propagation method and was observed in almost 45 per cent of attacks. Furthermore, despite being restricted by Microsoft earlier this year via an update, the USB Autorun feature remains an important attack vector and was abused in 26 per cent of observed attacks.

Network-based Autorun and file infectors are also popular, being preferred by attackers in 17.2 per cent and 4.4 per cent of cases, respectively. Even brute force attempts are more common than zero-day exploits, accounting for 1.7 per cent of attacks.

Microsoft doesn't want people to neglect zero-day day threats entirely, but doesn't think they should be treated as a priority either. The company points out that there are more pressing issues that organizations should resolve first.

"I definitely don't want to dismiss the significance of zero-day vulnerabilities, but SIRv11 does put them into perspective. It also draws attention to the other 99+ percent of attacks which occur as a result of things like social engineering, weak passwords and unpatched vulnerabilities," Rains said. µ