Microsoft Security Summary: Don't Sweat 0-days & Wise Up Stupid and Lazy Users!

Microsoft released its Security Intelligence Report for the first half of 2011, including the message not to worry so much about zero-day vulnerabilities. In this lighthearted look at the threat landscape, we'll examine PEBKAC, ID10T, social engineering and summarize other user problems that cybercrooks exploit.

After collecting data from over 600 million computers worldwide, Microsoft released the Microsoft Security Intelligence Report Volume 11 [PDF] which "exposes the threat landscape of exploits, vulnerabilities, and malware" during the first half of 2011. While Microsoft would never directly come out and say such things, the report could be summed up as the problem is not us, it's you: Media hype blows zero-day vulnerabilities out of proportion for how much they are exploited; too many people or companies have lax security practices about patching, and last but certainly not least is PEBKAC (Problem Exists Between Keyboard And Chair). That problem is nearly as old as the first PCs, yet still it rings true today.

BACKGROUND: Computer infected? Blame yourself, Microsoft report concludes

Don't worry, be happy. Microsoft said not to sweat over zero-days since less than 1% of exploits were against zero-day vulnerabilities. Although the dreaded "zero-day vulnerability strikes fear in the hearts of consumers and IT professionals," that can be mostly attributed to the media saturating news channels with 0-day hype. That's not exactly Microsoft's wording, but the company did a zero-day post and a nifty infographic.

In fact, almost half of all malware infections can be chalked up to stupid users. Oops, that's not quite right; I meant, social engineering is still a pretty wicked slick trick with no signs of slowing in the future and 45% of malware infections can be attributed to smooth-talking or sneaky-baited social engineering techniques.

43% of malware is accomplished by cybercriminals abusing the Autorun feature that automatically starts programs such as when a USB is plugged in. Cybercrooks like rogue security software so much that it top the charts for ways attackers "swindle money from victims." Other popular methods exploited by cybercriminals included attacking weak passwords which is an all too common problem among users.

What's really sad is that approximately 90% of all exploits targeted vulnerabilities that had a security patch available for a year or more. Microsoft said, "It's important to keep all software up to date." I'll be less kind and more direct, it could also fall into the 'ID ten T' error category or lax security practices.

While patching Windows is a huge time sink for IT departments, we've seen in the past that people are exasperated trying to keep up with patching other programs. In the first half of 2011, between one-third and one-half of all exploits targeted vulnerabilities in Oracle's Java products. The web is still the most common vector for delivering exploits, including malware via HTML IFrames and JavaScript. Adobe Flash exploits were "uncommon in comparison" but jumped more than 40 times in volume from last quarter. The document format most exploited award also goes to Adobe for Reader and Acrobat.

The USA was the country with the most computers "reporting detections and removals by Microsoft desktop antimalware products."

Anyone who may have been offended by this article, please lighten up and have a happy Hump day! Surely you've felt the same by family or friends who think you are 24/7 tech support and continue to make the same stupid mistakes until you simply image their system for reformatting, or consider putting parental controls on adults' computers? I encourage interested readers to examine the Microsoft Security Intelligence Report for the first half of 2011 in full and in seriousness.

Vinny Gullotto, general manager, Microsoft Malware Protection Center said, "We encourage people to consider this information when prioritizing their security practices. SIRv11 provides techniques and guidance to mitigate common infection vectors, and its data helps remind us that we can't forget about the basics. Techniques such as exploiting old vulnerabilities, Win32/Autorun abuse, password cracking and social engineering remain lucrative approaches for criminals."

What Microsoft didn't flat out say, but I wonder if they wouldn't like to, is stop the zero-day media hype, don't wait so long to patch security vulnerabilities or your PC or network will get whacked, and wise up stupid users!

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2011 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!