Zero-day bugs overrated, Microsoft says

Exploits of unpatched vulnerabilities account for about one-tenth of one percent of all attack activity

Don't panic.

That's Microsoft advice when news breaks about the latest zero-day vulnerability, a flaw that hackers exploit before a software developer manages to patch the problem.

"We're not saying don't worry about zero-days. But they need to be put into context," said Jeff Jones, a director of security with Microsoft's Trustworthy Computing group. "For the person who has security as a day-to-day job, they need to worry about the things that are most prevalent and most severe."

And Jones, armed with data from Microsoft's security teams and the Windows software they produce, argued that zero-days are not the most prevalent, and thus not the most dangerous, threats facing users.

According to Microsoft's latest Security Intelligence Report (SIR), published earlier today, exploits of zero-day vulnerabilities accounted for just 0.12% of all exploit activity during the first half of 2011.

But that data conflicts with the attention paid to unpatched bugs by the press, Microsoft said.

"The zero-day vulnerability is especially alarming for consumers and IT professionals [because] it combines fear of the unknown and an inability to fix the vulnerability," Microsoft's report said. "[So] it's no surprise that zero-day vulnerabilities often receive considerable coverage in the press when they arise."

Microsoft wanted to set the record straight, said Jones, which is why it focused its newest SIR on zero-days.

"This is panic inducing if I'm not informed," said Jones. "I'm not thinking of the security professional -- I wouldn't try to tell them how to do their job -- but I'm really thinking of his boss or a C-level executive who reads something and says, 'Hey, what are we doing about this?'"

Microsoft's advice? Don't freak.

"What we want to provide is the data that can take the IT pro from the panic of the headline to the prioritization of risks," said Jones.

In other words, a zero-day's bark is bigger than its bite, said Andrew Storms, director of security operations with nCircle Security.

"I think that there's value in what Microsoft is saying," said Storms. "I've always been in the camp that, for the billions of people on the Internet, zero-days are not the risk."

What is, both Storms and Microsoft agreed, are the threats that rely on duping users into doing something dangerous -- the term "social-engineered attack" is usually applied -- such as downloading a malicious file.

Using a complex scoring system that accounted for the multiple attack strategies most malware now employs, and data from a different source -- threats scrubbed from PCs by Microsoft's free Malicious Software Removal Tool (MSRT) -- the company concluded that 45% of all malware was spread through "user interaction."

"Exploits that use a social-engineered attack vector and require user interaction, by the MSRT data, are the most severe threats and the most prevalent," said Jones.

"I don't disagree with them one bit," said Storms, who nevertheless picked a bone with Microsoft for not practicing what its data preached.

"If that's the case, Microsoft should be providing some higher prioritization in its security classifications," said Storms.

Storms was referring to the four-step scoring system Microsoft uses to label security updates, and the fact it often tags vulnerabilities that can lead to a compromised computers, as "important," the second-highest rating, when an exploit requires user interaction.

"They often say a remotely executable exploit is less important because there's user interaction required," said Storms. "But that flies right in the face of the data here."

Of the five security updates Microsoft issued last month, for instance, all three Microsoft described as "could allow remote code exploitation" were rated as important, not "critical," even though the company bet that attack code for most of those bugs would appear within 30 days.

According to Microsoft's definition, the critical label applies to a "vulnerability whose exploitation could allow the propagation of an Internet worm without user action."

Microsoft's advice for customers in light of its zero-day findings wasn't new: Jones urged users to keep their software updated with the newest security patches and to use newer rather than older software.

"Do the basics," Jones said. "If anything [this information] should move people from a state of panic around zero-days to an appropriate prioritization."

The latest SIR volume can be downloaded from Microsoft's website as a PDF document.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com.

Join the discussion
Be the first to comment on this article. Our Commenting Policies