Microsoft Security Intel Report suggests zero-day flaws way overblown

Volume 11 of Microsoft’s Security Intelligence Report is out. Look at the high points and discuss…

The chief focus here is on zero-day vulnerabilities — Those for which no patch exists. To make sense of how much of a danger these really are, Microsoft researchers pulled data from more than 600 million systems in more than 100 countries.

After reviewing all the data, Microsoft determined:

•Less than one percent of exploits worldwide were against zero-day vulnerabilities.

•99 percent of all attacks in the first half of 2011 distributed malware through familiar techniques like social engineering and vulnerabilities for which updates or a “patch” exist.

•Cybercriminals are targeting old vulnerabilities. Approximately 90 percent of vulnerabilities exploited had security updates or “patches” available for more than a year.

On the surface, the takeaway seems to be that we’re all worrying too much about zero-day flaws when the bigger danger is that enterprise IT shops and home users are falling asleep at the patching wheel.

Based on the conversations I have regularly with IT security practitioners, this is indeed a problem. There are still machines out there getting hit with years-old malware like Sasser.

But is this really the far bigger problem than zero-day vulnerabilities? I have trouble buying the “less than 1 percent” finding.

Here’s how the report explains it:

The zero-day vulnerability is especially alarming for consumers and IT professionals, and for good reason—it combines fear of the unknown and an inability to fix the vulnerability, which leaves users and administrators feeling defenseless. It’s no surprise that zero-day vulnerabilities often receive considerable coverage in the press when they arise, and can be treated with the utmost level of urgency by the affected vendor and the vendors’ customers.

Despite this level of concern, there has been little measurement of the zero-day threat in the context of the broader threat landscape. This section of the Microsoft Security Intelligence Report presents such an analysis, along with details of the methodology used, a discussion of the insights gained from it, and some information about what’s been done with those insights.

This analysis approaches its subject in two ways. First, it establishes a method to estimate how malware propagates, including the use of zero-day exploits. Second, it measures the amount of zero-day exploitation in comparison with overall vulnerability exploitation. In other words, what are the relative proportions of exploitation before and after the update?

More than a third of the detections that were analyzed were caused by malicious software that misused the AutoRun feature in Windows. Analyzed threats were split between USB AutoRun threats (26 percent of the total) and network volume AutoRun threats (17 percent).

–About 6 percent of the MSRT detections analyzed were likely caused by exploits. Of these, the majority had had security updates available for more than a year at the time of detection (classified as “Update Long Available”), with the remainder involving exploits for vulnerabilities for which security updates had been released less than a year before detection (classified as “Update Available”).

–File infectors, or viruses, accounted for 4 percent of detections.

–The password brute force and Office macro behaviors were each identified in just one of the families examined in this exercise, and accounted for 2 percent and 0.3 percent of the total, respectively.

When compared to the other categories of threats identified for the project Broad Street analysis, exploits are relatively rare, and exploits that target recently disclosed vulnerabilities are rarer still. Of the attacks attributed to exploits in the 1H11 MSRT data, less than half of them targeted vulnerabilities disclosed within the previous year, and none targeted vulnerabilities that were zero-day during the first half of 2011.

(Because Microsoft usually releases security updates and the MSRT at the same time, the analysis considers a vulnerability zero-day for the entire month that an update is released. For example, if a malware family only uses a particular exploit in January, and Microsoft releases an update to fix the vulnerability in January, all February cleans of that family are counted as zero-day. This choice was made to avoid under-counting zero-days.)

The MMPC tracks vulnerability exploitation attempts using more than 3,000 signatures. Although some generic signatures may detect a zero-day exploit before the vulnerability has been disclosed, in most cases a signature update is required to detect or to single out one vulnerability exploit from another.

Given these constraints, some small-scale, targeted attacks using zero-day exploits may escape detection briefly, and such attacks would not be reflected in the data presented here. In general, though, when attacks involving an undisclosed vulnerability occur in significant volume, they are noticed quickly; security vendors respond by providing detection signatures and protection, and the affected software vendor publishes security updates to address the vulnerability.

In this supplemental analysis, zero-day exploitation accounted for about 0.12 percent of all exploit activity in 1H11, reaching a peak of 0.37 percent in June.

There’s a lot more to this report I’ll be digging into in a post tomorrow. For now, I wanted to flag the low zero-day finding and open the floor for discussion.

As IT security practitioners, what tends to be the biggest headache in terms of actual attacks: Those that exploit zero days or those that exploited a flaw you thought you patched but apparently missed?

Please discuss.

–Bill Brenner

one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

CSO’s Daily Dashboard gives you a

Sign up today.

Get your morning news fix with the daily Salted Hash e-newsletter!