Zero-day exploits are nerve-racking for IT professionals but are far less dangerous than unpatched older vulnerabilities for which fixes are available, Microsoft says.
A zero-day is a vulnerability for which a patch is not yet available. These accounted for less than 1 percent of all detected infections in the first half of 2011, according to Microsoft's latest security research report. Instead, Microsoft finds that Java remains the worst cause of infections -- and old Java at that, with patches long since available.
"Java exploits were responsible for between one-third and one-half of all exploits observed in each of the four most recent quarters," says the Microsoft Security Intelligence Report Volume 11, released Tuesday. [Full report PDF]. Java attacks include infections from holes in the Java Runtime Environment, Java Virtual Machine, and Java SE in the Java Development Kit.
Like previous versions of this report, Microsoft finds that nearly all infections could have been stopped if the user had been using the latest version of software or had not clicked on a malware-laced link. Note that the report is limited to instances of attacks that Microsoft can detect through its Malicious Software Removal Tool and its other anti-malware products. Zero-day attacks that it cannot detect would not be calculated in its findings. Using these, the company analyzed security incidents from more than 600 million systems in more than 100 countries for the first half of 2011, many of them Windows PCs owned by consumers or small businesses without dedicated IT staff.
It's not surprising that Microsoft's research validates that Microsoft's newer products are more secure and that its prevention methods are working. Nevertheless, the report also offers insight into the types of preventable infections that PCs still fall prey to.
Second on the list of most popular infections were attacks against the Windows OS, which saw an increase in the second quarter. This was entirely thanks to exploits using a vulnerability in Windows Shell made famous by Stuxnet. Microsoft had patched this hole in August 2010 for all versions of Windows (including WS2008 server core installations).
The overall theme in Microsoft's latest 2011 security threats finds that old is bad, new is good, while social networks are the new breeding ground for successful phishing attacks. Overall, 27 threats represented more than 80 percent of all malware detected in the period and nearly all of it was preventable through already available patches.