Zero-day bugs overrated, Microsoft says
Exploits of unpatched vulnerabilities account for about one-tenth of one percent of all attack activity
Computerworld - Don't panic.
That's Microsoft advice when news breaks about the latest zero-day vulnerability, a flaw that hackers exploit before a software developer manages to patch the problem.
"We're not saying don't worry about zero-days. But they need to be put into context," said Jeff Jones, a director of security with Microsoft's Trustworthy Computing group. "For the person who has security as a day-to-day job, they need to worry about the things that are most prevalent and most severe."
And Jones, armed with data from Microsoft's security teams and the Windows software they produce, argued that zero-days are not the most prevalent, and thus not the most dangerous, threats facing users.
According to Microsoft's latest Security Intelligence Report (SIR), published earlier today, exploits of zero-day vulnerabilities accounted for just 0.12% of all exploit activity during the first half of 2011.
But that data conflicts with the attention paid to unpatched bugs by the press, Microsoft said.
"The zero-day vulnerability is especially alarming for consumers and IT professionals [because] it combines fear of the unknown and an inability to fix the vulnerability," Microsoft's report said. "[So] it's no surprise that zero-day vulnerabilities often receive considerable coverage in the press when they arise."
Microsoft wanted to set the record straight, said Jones, which is why it focused its newest SIR on zero-days.
"This is panic inducing if I'm not informed," said Jones. "I'm not thinking of the security professional -- I wouldn't try to tell them how to do their job -- but I'm really thinking of his boss or a C-level executive who reads something and says, 'Hey, what are we doing about this?'"
Microsoft's advice? Don't freak.
"What we want to provide is the data that can take the IT pro from the panic of the headline to the prioritization of risks," said Jones.
In other words, a zero-day's bark is bigger than its bite, said Andrew Storms, director of security operations with nCircle Security.
"I think that there's value in what Microsoft is saying," said Storms. "I've always been in the camp that, for the billions of people on the Internet, zero-days are not the risk."
What is, both Storms and Microsoft agreed, are the threats that rely on duping users into doing something dangerous -- the term "social-engineered attack" is usually applied -- such as downloading a malicious file.
Using a complex scoring system that accounted for the multiple attack strategies most malware now employs, and data from a different source -- threats scrubbed from PCs by Microsoft's free Malicious Software Removal Tool (MSRT) -- the company concluded that 45% of all malware was spread through "user interaction."
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!