Zero-day exploits are nerve-racking for IT professionals but are far less dangerous than unpatched older vulnerabilities for which fixes areavailable, Microsoft says.
A zero-day is a vulnerability for which a patch is not yet available.These accounted for less than 1% of all detected infections in thefirst half of 2011, according to Microsoft’s latest security research report.Instead, Microsoft finds that Java remains the worst cause ofinfections — and old Java at that, with patches long since available.
“Java exploits were responsible for between one-third and one-half ofall exploits observed in each of the four most recent quarters,” saysthe Microsoft Security Intelligence Report Volume 11, released Tuesday.Java attacks include infectionsfrom holes in the Java Runtime Environment, Java Virtual Machine, andJava SE in the Java Development Kit.
Like previous versions of this report, Microsoft finds that nearly allinfections could have been stopped if the user had been using thelatest version of software, or had not clicked on a malware-laced link.Note that the report is limited to instances of attacks that Microsoftcan detect through its Malicious Software Removal Tool and its otheranti-malware products. Zero-day attacks that it cannot detect would notbe calculated in its findings. Using these, the company analyzedsecurity incidents from more than 600 million systems in more than 100countries for the first half of 2011, many of them Windows PCs owned byconsumers or small businesses without dedicated IT staff.
It’s not surprising that Microsoft’s research validates thatMicrosoft’s newer products are more secure and that its preventionmethods are working. Nevertheless, the report also offers insight intothe types of preventable infections that PCs still fall prey to.
Second on the list of most popular infections were attacks against theWindows OS, which saw an increase in the second quarter. This wasentirely thanks to exploits using a vulnerability in Windows Shell madefamous by Stuxnet. Microsoft had patchedthis hole in August 2010 for all versions of Windows (including WS2008server core installations).
The next most detected attacks were those that entered through HTML andJavascript, then holes in document readers including Office, followedby vulnerabilities in Adobe Flash.
The overall theme in Microsoft’s latest 2011 security threats findsthat old is bad, new is good, while social networks are the newbreeding ground for successful phishing attacks. Overall, 27threats represented more than 80% of all malware detected in the periodand nearly all of it was preventable through already available patches.
While hackers are forever finding software vulnerabilities, improvedsoftware security techniques are making it harder for those attacks tohave much effect in the wild, says Jeff Jones, director for MicrosoftTrustworthy Computing. Techniques like stack overflow protection, dataexecution prevention and address space layout randomization limit theseverity of infections if they can plant malware on machines.
“Newer is better, and I’m not just saying for Microsoft products.Smartphone makers are building in newer techniques like address spacerandomization,” says Jones, who couldn’t resist adding a plug forWindows 7. “If you are running a product that’s 10 years old, time tothink to moving product more recent than that.”
For instance, infection rates are dramatically lower between older andnewer versions of Windows, with 10.9% of Windows XP SP3, the currentversion, succumbing to infections; Vista SP2 32-bit users were hit 5.7%of the time, Windows 7 32-bit 4% and Windows 7 SP1 32-bit a mere 1.8%(with 64-bit infection rates even lower). Microsoft normalizes thesestatistics, comparing an equal number of computers per version, so thenumber of XP users vs. Windows 7 users does not taint the findings.Windows 7 SP1 was released in February and was essentially a roll-uprelease of security and bug fixes, with no added functionality.
Android attacks rising
Meanwhile, the report says exploits affecting Android and theOpen Handset Alliance were on the rise. These were detected whenAndroid users downloaded infected programs to their Windows computersbefore transferring the software to their devices. The biggest was aTrojan family it calls AndroidOS/DroidDream, “which often masqueradesas a legitimate Android application, and can allow a remote attacker togain access to the mobile device,” the report says. Google fixed thathole with a security update published in March; however, detectedDroidDream infections continued to rise through the second quarter.
There was some good news. Many of the methods Microsoft has implementedto limit the severity of infections are having some effect, ifMicrosoft does say so itself. For instance, in February, Microsoftreleased an update for XP and Vista systems which fixed the Autorunfeature from being so easily abused. Windows 7 always included thisfeature. Autorun is a favorite method to spread Conficker, which stillappears as a top infection on enterprise networks, the report says. Amore secure Autorun doesn’t automatically launch applications on thumbdrives and DVDs.
Microsoft reports that Autorun infections decreased by as much as 82%.However, Autorun is still a top prorogation technique, and 43% ofmalware included Autorun as a propagation method, the report says.
Likewise, with Microsoft’s help in taking down the botnets Cutwail and Rustock, spam rates dropped fromabout 90 billion blocked messages in July 2010 to about 25 billion inJune 2011.
Now for the bad news. The report did not indicate that overallinfections were down. What hackers are losing in the way of easydrive-by infections and Autorun propagation, they seem to be making upfor in phishing via social media, such as Facebook clickjackingattacks. “In April 84% of all phishing was through social networks,”Jones says.
As Microsoft sees it, protection against these attacks remains in yourhands, by keeping up on patches and fixes.
