In-Depth

Microsoft Report Dishes on Malware Prophylaxis, Zero Day Hysteria

Why do zero-day attacks -- which account for a vanishingly small percentage of all exploit activity -- generate a disproportionate percentage of security headlines.

If you've been burned by a malware attack, you've only yourself to blame.

That's perhaps the most risible finding in the 11th edition of Microsoft's Security Intelligence Report (MSIR), which covers the first half of 2011.

It isn't the only risible or tendentious nugget in the latest MSIR, however. The report also takes aim at so-called "zero-day" attacks, which it says account for a vanishingly small percentage of all exploit activity -- some 0.12 percent in the first half of 2011, in fact.

In most cases, Microsoft Corp. argues, malware attacks could've or should've been blocked at the outset. For example, almost half (44.8 percent) of all malware attacks required a user to complete an action before a computer could effectively be compromised. "Action," in this case, denotes "an intentional action that is in some way distinguished from the typical use of the computer," according to Microsoft, which produced the report.

More than a third of malware attacks exploited the Windows "Autorun" feature, which prompts a user to execute an application whenever Windows connects to a resource, such as a removable device (e.g., a flash drive or an SD card), an optical disc, or a network share. Finally, 5.6 percent of attacks exploited vulnerabilities that Microsoft says it had already patched.

Windows security best practices require that organizations enable User Account Control (UAC) -- which prompts a user when an application asks to run at an elevated privilege level -- and disable autorun. In February, Microsoft pushed out an update that changed the way Autorun works on Windows XP, Windows Vista, and Windows Server 2008. This update, which disables the Autorun feature on non-optical devices, likewise reduced the frequency of Autorun-based attacks.

Because so many malware attacks try to trick a user into launching a malicious executable, the Microsoft report urges shops to beef up their defenses against social engineering.

"In many scenarios, people are an organization's last line of defense against threats such as malicious code, disgruntled employees, and malicious third parties. It is therefore important to educate workers on what your organization considers appropriate security-conscious behavior, and on the security best practices they need to incorporate in their daily business activities."

Zero Danger?

Although the new MSIR doesn't quite downplay the danger posed by attacks which exploit as-yet-unpatched vulnerabilities in operating system or application software, it does raise questions about the amount of attention these attacks tend to receive. "Zero-day vulnerabilities -- according to conventional wisdom, at least -- cannot be effectively defended against, and can arise at any time, leaving even security-conscious IT administrators essentially at their mercy," the report says, concluding that "Zero-day vulnerabilities continue to capture the imagination."

The big question is why. Exploits using malicious code accounted for less than 6 percent of the threats detected by Microsoft's Malicious Software Removal Tool (MSRT), but none of the top malware threats as identified by the MSRT used zero-day exploits. More to the point, a majority of these (3.2 percent) exploited vulnerabilities for which updates had been available for at least a year.

"Out of all the vulnerability exploitation detected by the [Microsoft Malware Protection Center], less than one percent was zero-day exploit activity," the report indicates.

Of course, the very idea of a zero-day attack is to avoid detection by technologies like the MSRT or by any other anti-malware or anti-virus software.

Microsoft concedes as much, but says that the results are only just barely bleaker, with zero-day exploits accounting for an average of just 0.12 percent of all exploit activity in the first half of 2011 -- with a peak of 0.37 percent in June, thanks to a pair of Adobe Flash-related vulnerabilities.

"[S]ome small-scale, targeted attacks using zero-day exploits may escape detection briefly, and such attacks would not be reflected in the data presented here. In general, though, when attacks involving an undisclosed vulnerability occur in significant volume, they are noticed quickly; security vendors respond by providing detection signatures and protection, and the affected software vendor publishes security updates to address the vulnerability," the report indicates.

Must Read Articles