Zero-day bugs overrated, Microsoft says
Exploits of unpatched vulnerabilities account for about one-tenth of one percent of all attack activity
Computerworld - Don't panic.
That's Microsoft advice when news breaks about the latest zero-day vulnerability, a flaw that hackers exploit before a software developer manages to patch the problem.
"We're not saying don't worry about zero-days. But they need to be put into context," said Jeff Jones, a director of security with Microsoft's Trustworthy Computing group. "For the person who has security as a day-to-day job, they need to worry about the things that are most prevalent and most severe."
And Jones, armed with data from Microsoft's security teams and the Windows software they produce, argued that zero-days are not the most prevalent, and thus not the most dangerous, threats facing users.
According to Microsoft's latest Security Intelligence Report (SIR), published earlier today, exploits of zero-day vulnerabilities accounted for just 0.12% of all exploit activity during the first half of 2011.
But that data conflicts with the attention paid to unpatched bugs by the press, Microsoft said.
"The zero-day vulnerability is especially alarming for consumers and IT professionals [because] it combines fear of the unknown and an inability to fix the vulnerability," Microsoft's report said. "[So] it's no surprise that zero-day vulnerabilities often receive considerable coverage in the press when they arise."
Microsoft wanted to set the record straight, said Jones, which is why it focused its newest SIR on zero-days.
"This is panic inducing if I'm not informed," said Jones. "I'm not thinking of the security professional -- I wouldn't try to tell them how to do their job -- but I'm really thinking of his boss or a C-level executive who reads something and says, 'Hey, what are we doing about this?'"
Microsoft's advice? Don't freak.
"What we want to provide is the data that can take the IT pro from the panic of the headline to the prioritization of risks," said Jones.
In other words, a zero-day's bark is bigger than its bite, said Andrew Storms, director of security operations with nCircle Security.
"I think that there's value in what Microsoft is saying," said Storms. "I've always been in the camp that, for the billions of people on the Internet, zero-days are not the risk."
What is, both Storms and Microsoft agreed, are the threats that rely on duping users into doing something dangerous -- the term "social-engineered attack" is usually applied -- such as downloading a malicious file.
Using a complex scoring system that accounted for the multiple attack strategies most malware now employs, and data from a different source -- threats scrubbed from PCs by Microsoft's free Malicious Software Removal Tool (MSRT) -- the company concluded that 45% of all malware was spread through "user interaction."
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts