In minimizing zero-day, Microsoft misses the point

Zero-day vulnerabilities account for minuscule slice of Microsoft malware pie, but sheer numbers don't tell the whole story

If you've waded through Microsoft's latest Security Intelligence Report and its special ZeroDay Article, you may have been struck by the claim that "less than 1 percent of all exploit attempts" against Microsoft software in the first half of 2011 took advantage of zero-day vulnerabilities.

While Microsoft's counting methodology makes a lot of sense, it doesn't cover all the bases -- and its conclusion isn't particularly accurate since it underestimates the impact of these attacks. In a nutshell, here's how the Microsoft Security Resource Center researchers came up with their numbers.

Microsoft collects extensive information about infections through the Malicious Software Removal Tool (MSRT), which scans 600 million Windows computers every month, rooting out identified malware and reporting back to Microsoft on identified and quashed malware.

For this exercise, Microsoft took a look at the 28 most common infection families, which together accounted for about 90 percent of all the infected machines. The list reads like a who's who of modern malicious software, including Alureon, Conficker, Fakespy, and Zbot. Each of the 28 families was tagged with infection methods, e.g., AutoRun, Office macro, direct file infection, and user interaction required. In a nod to the intractability of the task, Microsoft gave each of the infection methods equal weight in coming up with a grand total of infection vectors.

Microsoft gives the example of Conficker, which was identified as propagating via a specific Windows vulnerability (fixed in MS08-067), as well as via Net AutoRun, USB AutoRun, and brute-force password guessing. For every 100 identified Conficker-infected machines, Microsoft says 25 were ascribed to the Windows exploit, 25 to the Net AutoRun vulnerability, 25 to the USB AutoRun vulnerability, and 25 to brute-force password guessing.

This is where Microsoft's description turns fuzzy. The Windows exploit vulnerabilities (by definition, security holes with CVE entries) are further broken down by age -- zero-day for exploits that existed before the security patch was released; "Update Available" for vulnerabilities that had been patched less than a year prior to detection; and "Update Long Available" when the patch had been around for more than a year.

What isn't clear at all is when MSRT started detecting the malware and how that affects the breakout by age. For example, MS08-067, which plugged one of the holes used by Conficker, was released in October 2008. MSRT started detecting Conficker.A in November. Would those early detections be considered zero-day? What about machines infected before MSRT could find them? What if the infection had nothing to do with the Windows vulnerability?

The current list concerns only the first half of 2011, so of course Conficker is "Update Long Available." But what about other infection families -- ones that are, perhaps, just starting to blossom or ones that aren't even detected yet? I guess that's what really bothers me about the claim that "less than 1 percent of all exploit attempts" in the first half used zero-day flaws. Microsoft isn't measuring exploit attempts, it's measuring infected machines -- and it's only measuring machines where the infection has been identified and categorized. There's an awful lot of wiggle room in the phrase "all exploit attempts."

There's no question that social engineering and infection vectors that require user interaction are by far the most common source of infections. Computers that haven't been patched in modern history certainly add to the toll. But there's a lot of reason to be concerned about zero-days -- not because of the sheer volume of infected machines, but because they all too frequently get directed at high-payoff targets.

This article, "In minimizing zero-day, Microsoft misses the point," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow on Twitter.

Copyright © 2011 IDG Communications, Inc.

How to choose a low-code development platform