Zero-day bugs overrated, Microsoft says
Exploits of unpatched vulnerabilities account for about one-tenth of one percent of all attack activity
Computerworld - Don't panic.
That's Microsoft advice when news breaks about the latest zero-day vulnerability, a flaw that hackers exploit before a software developer manages to patch the problem.
"We're not saying don't worry about zero-days. But they need to be put into context," said Jeff Jones, a director of security with Microsoft's Trustworthy Computing group. "For the person who has security as a day-to-day job, they need to worry about the things that are most prevalent and most severe."
And Jones, armed with data from Microsoft's security teams and the Windows software they produce, argued that zero-days are not the most prevalent, and thus not the most dangerous, threats facing users.
According to Microsoft's latest Security Intelligence Report (SIR), published earlier today, exploits of zero-day vulnerabilities accounted for just 0.12% of all exploit activity during the first half of 2011.
But that data conflicts with the attention paid to unpatched bugs by the press, Microsoft said.
"The zero-day vulnerability is especially alarming for consumers and IT professionals [because] it combines fear of the unknown and an inability to fix the vulnerability," Microsoft's report said. "[So] it's no surprise that zero-day vulnerabilities often receive considerable coverage in the press when they arise."
Microsoft wanted to set the record straight, said Jones, which is why it focused its newest SIR on zero-days.
"This is panic inducing if I'm not informed," said Jones. "I'm not thinking of the security professional -- I wouldn't try to tell them how to do their job -- but I'm really thinking of his boss or a C-level executive who reads something and says, 'Hey, what are we doing about this?'"
Microsoft's advice? Don't freak.
"What we want to provide is the data that can take the IT pro from the panic of the headline to the prioritization of risks," said Jones.
In other words, a zero-day's bark is bigger than its bite, said Andrew Storms, director of security operations with nCircle Security.
"I think that there's value in what Microsoft is saying," said Storms. "I've always been in the camp that, for the billions of people on the Internet, zero-days are not the risk."
What is, both Storms and Microsoft agreed, are the threats that rely on duping users into doing something dangerous -- the term "social-engineered attack" is usually applied -- such as downloading a malicious file.
Using a complex scoring system that accounted for the multiple attack strategies most malware now employs, and data from a different source -- threats scrubbed from PCs by Microsoft's free Malicious Software Removal Tool (MSRT) -- the company concluded that 45% of all malware was spread through "user interaction."
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts