If you've waded through Microsoft's latest Security Intelligence Report and its special ZeroDay Article, you may have been struck by the claim that "less than 1 percent of all exploit attempts" against Microsoft software in the first half of 2011 took advantage of zero-day vulnerabilities.
While Microsoft's counting methodology makes a lot of sense, it doesn't cover all the bases -- and its conclusion isn't particularly accurate since it underestimates the impact of these attacks. In a nutshell, here's how the Microsoft Security Resource Center researchers came up with their numbers.
Microsoft collects extensive information about infections through the Malicious Software Removal Tool (MSRT), which scans 600 million Windows computers every month, rooting out identified malware and reporting back to Microsoft on identified and quashed malware.
For this exercise, Microsoft took a look at the 28 most common infection families, which together accounted for about 90 percent of all the infected machines. The list reads like a who's who of modern malicious software, including Alureon, Conficker, Fakespy, and Zbot. Each of the 28 families was tagged with infection methods, e.g., AutoRun, Office macro, direct file infection, and user interaction required. In a nod to the intractability of the task, Microsoft gave each of the infection methods equal weight in coming up with a grand total of infection vectors.
Microsoft gives the example of Conficker, which was identified as propagating via a specific Windows vulnerability (fixed in MS08-067), as well as via Net AutoRun, USB AutoRun, and brute-force password guessing. For every 100 identified Conficker-infected machines, Microsoft says 25 were ascribed to the Windows exploit, 25 to the Net AutoRun vulnerability, 25 to the USB AutoRun vulnerability, and 25 to brute-force password guessing.
This is where Microsoft's description turns fuzzy. The Windows exploit vulnerabilities (by definition, security holes with CVE entries) are further broken down by age -- zero-day for exploits that existed before the security patch was released; "Update Available" for vulnerabilities that had been patched less than a year prior to detection; and "Update Long Available" when the patch had been around for more than a year.