Microsoft Downplays Risks of Zero-Day Exploits -- Redmondmag.com

Microsoft Downplays Risks of Zero-Day Exploits

By Chris Paoli
10/11/2011

Zero-day software vulnerabilities may be alarming, but a new report from Microsoft sees them as not the biggest risk for organizations and PC users.

According to Microsoft, only 0.12 percent of all software exploits in the first half of this year were associated with "zero-day" malware, which taps into unpublicized security vulnerabilities in software. The company disclosed this information in its biannual Microsoft Security Intelligence Report, released this week. In it, Microsoft reported that over 99 percent of the remaining attacks "distributed malware through familiar techniques, such as social engineering and unpatched vulnerabilities."

"The risk associated with zero-day exploits is real and should be represented in organizations' risk management plans," said Tim Robbins, director of product management in Microsoft’s Trustworthy Computing group, in a blog post. "That said, the data in this study helps put that risk into perspective relative to the top malware threats and exploit attempts observed in use on the Internet."

Microsoft attributed the low number of actual zero-day exploits to the diligence of security vendors providing patches and detection signatures quickly after a vulnerability is discovered. Microsoft provided some examples, pointing to two Adobe zero-day exploits that made up the majority of the 0.12 percent of attacks in the first half of 2011. Adobe released an update to its Flash player less than a week after the first zero-day incident was reported and issued a fix two days after a June 12 exploit incident occurred.

Many software security vendors emphasize zero-day exploits because of the implicit newness of the vulnerability.

"The zero-day vulnerability is especially alarming for consumers and IT professionals, and for good reason -- it combines fear of the unknown and an inability to fix the vulnerability, which leaves users and administrators feeling defenseless," Microsoft wrote in the report. "It's no surprise that zero-day vulnerabilities often receive considerable coverage in the press when they arise, and can be treated with the utmost level of urgency by the affected vendor and the vendors' customers."

However, Microsoft took a slightly different view in the SIRS report. While diligence is not a bad policy, these zero-day attacks are miniscule compared with the totality of security issues.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.

Featured

Microsoft and OpenAI Continue Global AI Expansions

Microsoft and OpenAI each continued their global expansion this month, with the announcements of new infrastructure investments and service rollouts in new regions, like Asia and the Middle East.
Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.
What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.