After analyzing data from more than 600 million systems around the globe, Microsoft has determined that zero-day vulnerabilities aren't nearly as worrisome as malware based on traditional techniques, such as social engineering and unpatched security holes. It's not that zero-day threats aren't inherently dangerous, it's just that hardly anyone's exploiting them, at least comparatively.
In Microsoft's latest Security Intelligence Report (volume 11), the Redmond software giant found less than 1 percent of exploits in the first half of 2011 were against zero-day vulnerabilities. By comparison, user interaction, typically employing social engineering techniques, accounted for 45 percent of all malware propagation in the same time period. More than a third was spread by abusing the Win32/Autorun feature when connecting external media like a USB flash drive or CD.
"We encourage people to consider this information when prioritizing their security practices," said Vinny Gullotto, general manager, Microsoft Malware Protection Center. "SIRv11 provides techniques and guidance to mitigate common infection vectors, and its data helps remind us that we can’t forget about the basics. Techniques such as exploiting old vulnerabilities, Win32/Autorun abuse, password cracking and social engineering remain lucrative approaches for criminals."
That less than 1 percent figure sounded awfully low to us, especially when you consider that so many antivirus companies are putting a greater emphasis on behavior-based scanning and cloud databases to protect against emerging threats. Webroot in particular just recently launched its SecureAnywhere security software, which exists almost entirely in the cloud. We asked Jacques Erasmus, chief information security officer at Webroot, what he thought about Microsoft's report.
"I tend to agree with these numbers if we are talking about true zero-day exploits which are very rarely used to infect large numbers of people. Instead, they’re used in targeted attacks; what happens after this is the exploit gets leaked after it's used initially and then hits the mass market until a patch is released," Erasmus told Maximum PC.
You can read Microsoft's Security Intelligent Report here.