Skip the navigation

Zero-day bugs overrated, Microsoft says

Exploits of unpatched vulnerabilities account for about one-tenth of one percent of all attack activity

October 11, 2011 06:47 AM ET

Computerworld - Don't panic.

That's Microsoft advice when news breaks about the latest zero-day vulnerability, a flaw that hackers exploit before a software developer manages to patch the problem.

"We're not saying don't worry about zero-days. But they need to be put into context," said Jeff Jones, a director of security with Microsoft's Trustworthy Computing group. "For the person who has security as a day-to-day job, they need to worry about the things that are most prevalent and most severe."

And Jones, armed with data from Microsoft's security teams and the Windows software they produce, argued that zero-days are not the most prevalent, and thus not the most dangerous, threats facing users.

According to Microsoft's latest Security Intelligence Report (SIR), published earlier today, exploits of zero-day vulnerabilities accounted for just 0.12% of all exploit activity during the first half of 2011.

But that data conflicts with the attention paid to unpatched bugs by the press, Microsoft said.

"The zero-day vulnerability is especially alarming for consumers and IT professionals [because] it combines fear of the unknown and an inability to fix the vulnerability," Microsoft's report said. "[So] it's no surprise that zero-day vulnerabilities often receive considerable coverage in the press when they arise."

Microsoft wanted to set the record straight, said Jones, which is why it focused its newest SIR on zero-days.

"This is panic inducing if I'm not informed," said Jones. "I'm not thinking of the security professional -- I wouldn't try to tell them how to do their job -- but I'm really thinking of his boss or a C-level executive who reads something and says, 'Hey, what are we doing about this?'"

Microsoft's advice? Don't freak.

"What we want to provide is the data that can take the IT pro from the panic of the headline to the prioritization of risks," said Jones.

In other words, a zero-day's bark is bigger than its bite, said Andrew Storms, director of security operations with nCircle Security.

"I think that there's value in what Microsoft is saying," said Storms. "I've always been in the camp that, for the billions of people on the Internet, zero-days are not the risk."

What is, both Storms and Microsoft agreed, are the threats that rely on duping users into doing something dangerous -- the term "social-engineered attack" is usually applied -- such as downloading a malicious file.

Using a complex scoring system that accounted for the multiple attack strategies most malware now employs, and data from a different source -- threats scrubbed from PCs by Microsoft's free Malicious Software Removal Tool (MSRT) -- the company concluded that 45% of all malware was spread through "user interaction."



Our Commenting Policies