What isn't clear at all is when MSRT started detecting the malware and how that affects the breakout by age. For example, MS08-067, which plugged one of the holes used by Conficker, was released in October 2008. MSRT started detecting Conficker.A in November. Would those early detections be considered zero-day? What about machines infected before MSRT could find them? What if the infection had nothing to do with the Windows vulnerability?
The current list concerns only the first half of 2011, so of course Conficker is "Update Long Available." But what about other infection families -- ones that are, perhaps, just starting to blossom or ones that aren't even detected yet? I guess that's what really bothers me about the claim that "less than 1 percent of all exploit attempts" in the first half used zero-day flaws. Microsoft isn't measuring exploit attempts, it's measuring infected machines -- and it's only measuring machines where the infection has been identified and categorized. There's an awful lot of wiggle room in the phrase "all exploit attempts."
There's no question that social engineering and infection vectors that require user interaction are by far the most common source of infections. Computers that haven't been patched in modern history certainly add to the toll. But there's a lot of reason to be concerned about zero-days -- not because of the sheer volume of infected machines, but because they all too frequently get directed at high-payoff targets.
This article, "In minimizing zero-day, Microsoft misses the point," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow InfoWorld.com on Twitter.