Zero-day exploits are nerve-racking for IT professionals but are far less dangerous than unpatched older vulnerabilities for which fixes are available, Microsoft says.
A zero-day is a vulnerability for which a patch is not yet available. These accounted for less than 1% of all detected infections in the first half of 2011, according to Microsoft's latest security research report. Instead, Microsoft finds that Java remains the worst cause of infections -- and old Java at that, with patches long since available.
"Java exploits were responsible for between one-third and one-half of all exploits observed in each of the four most recent quarters," says the Microsoft Security Intelligence Report Volume 11, released Tuesday. [Full report PDF]. Java attacks include infections from holes in the Java Runtime Environment, Java Virtual Machine, and Java SE in the Java Development Kit.
Like previous versions of this report, Microsoft finds that nearly all infections could have been stopped if the user had been using the latest version of software, or had not clicked on a malware-laced link. Note that the report is limited to instances of attacks that Microsoft can detect through its Malicious Software Removal Tool and its other anti-malware products. Zero-day attacks that it cannot detect would not be calculated in its findings. Using these, the company analyzed security incidents from more than 600 million systems in more than 100 countries for the first half of 2011, many of them Windows PCs owned by consumers or small businesses without dedicated IT staff.
It's not surprising that Microsoft's research validates that Microsoft's newer products are more secure and that its prevention methods are working. Nevertheless, the report also offers insight into the types of preventable infections that PCs still fall prey to.
Second on the list of most popular infections were attacks against the Windows OS, which saw an increase in the second quarter. This was entirely thanks to exploits using a vulnerability in Windows Shell made famous by Stuxnet. Microsoft had patched this hole in August 2010 for all versions of Windows (including WS2008 server core installations).
The overall theme in Microsoft's latest 2011 security threats finds that old is bad, new is good, while social networks are the new breeding ground for successful phishing attacks. Overall, 27 threats represented more than 80% of all malware detected in the period and nearly all of it was preventable through already available patches.
While hackers are forever finding software vulnerabilities, improved software security techniques are making it harder for those attacks to have much effect in the wild, says Jeff Jones, director for Microsoft Trustworthy Computing. Techniques like stack overflow protection, data execution prevention and address space layout randomization limit the severity of infections if they can plant malware on machines.
"Newer is better, and I'm not just saying for Microsoft products. Smartphone makers are building in newer techniques like address space randomization," says Jones, who couldn't resist adding a plug for Windows 7. "If you are running a product that's 10 years old, time to think to moving product more recent than that."
For instance, infection rates are dramatically lower between older and newer versions of Windows, with 10.9% of Windows XP SP3, the current version, succumbing to infections; Vista SP2 32-bit users were hit 5.7% of the time, Windows 7 32-bit 4% and Windows 7 SP1 32-bit a mere 1.8% (with 64-bit infection rates even lower). Microsoft normalizes these statistics, comparing an equal number of computers per version, so the number of XP users vs. Windows 7 users does not taint the findings. Windows 7 SP1 was released in February and was essentially a roll-up release of security and bug fixes, with no added functionality.
Meanwhile, the report says exploits affecting Android and the Open Handset Alliance were on the rise. These were detected when Android users downloaded infected programs to their Windows computers before transferring the software to their devices. The biggest was a Trojan family it calls AndroidOS/DroidDream, "which often masquerades as a legitimate Android application, and can allow a remote attacker to gain access to the mobile device," the report says. Google fixed that hole with a security update published in March; however, detected DroidDream infections continued to rise through the second quarter.
There was some good news. Many of the methods Microsoft has implemented to limit the severity of infections are having some effect, if Microsoft does say so itself. For instance, in February, Microsoft released an update for XP and Vista systems which fixed the Autorun feature from being so easily abused. Windows 7 always included this feature. Autorun is a favorite method to spread Conficker, which still appears as a top infection on enterprise networks, the report says. A more secure Autorun doesn't automatically launch applications on thumb drives and DVDs.
Microsoft reports that Autorun infections decreased by as much as 82%. However, Autorun is still a top prorogation technique, and 43% of malware included Autorun as a propagation method, the report says.
Likewise, with Microsoft's help in taking down the botnets Cutwail and Rustock, spam rates dropped from about 90 billion blocked messages in July 2010 to about 25 billion in June 2011.
Indeed overall infections declined compared to the last half of 2010, from a high of 12.3 per 1,000 computers cleaned in 3Q 2010 to 9.8 in 2Q 2011.
Now for the bad news. What hackers are losing in the way of easy drive-by infections and Autorun propagation, they seem to be making up for in phishing via social media, such as Facebook clickjacking attacks. "In April 84% of all phishing was through social networks," Jones says.
As Microsoft sees it, protection against these attacks remains in your hands, by keeping up on patches and fixes.