Social Engineering: A Real Persistent Threat

I hear a great deal about 0-day attacks, and a great deal of security vendor PR is (depending on market sector) predicated on the assumption that 0-days are the most prevalent threat. Notwithstanding some highly visible 0-day attacks over the years, I don’t believe that to be true.

In fact, I’ve had some lively discussions elsewhere with users of Mac OS (this argument goes way back before OS X) and occasionally Linux who believe that the Windows malware problem is entirely due to deficiencies in the operating system and inadequate updating, and that you shouldn’t take into account threats that make any use of social engineering (whatever you understand by that term) because they can’t be remediated and somehow don’t count.
Whatever the merits of that argument, I’m not about to dismiss a class of threat that I know to account for an extraordinarily high proportion of malware, irrespective of platform, because of the sensitivities of the “Windoze Bad, Mac Good” mindset.
It seems that Dancho Danchev is also sceptical of the assumption that 0-days rule the roost: first of all, he recently reminded us of his 2010 article “Seven myths about zero day vulnerabilities debunked”, then he followed up with “Which is the most popular malware propagation tactic?”, making use of statistics from Microsoft’s Security Intelligence Report.
He didn’t make an explicit link between Mac fanboi attitudes and Microsoft’s research, of course. That’s my bête noire, and in any case, Microsoft’s figures don’t include OS X: it’s quite possible that an equivalent study would show significant differences between operating systems. Furthermore, I can already hear a chorus of “well, they would say that, wouldn’t they?” starting to swell from the other side of the quasi-religious divide.
However, Microsoft’s report states that:
  • About six percent of the MSRT detections that were analyzed were attributed to exploits—malicious code that attempts to exploit vulnerabilities in applications or operating systems.
  • None of the top families in the MSRT were documented as using zero-day exploits in 1H11.
  • Out of all the vulnerability exploitation detected by the MMPC, less than one percent was zero-day exploit activity.
Compare that to the 44.8% that required user interaction. (There are a number of other categories that would overlap with that, so don’t take it as an absolute figure. Just think about the contrast...)
The Microsoft report is not a tablet of stone: it’s an interpretation of figures based on a partial view of the Windows threatscape, authored by a company with a vested interest (no, I don’t think for a moment that Microsoft would falsify the figures!) But if you’ve bought into the received wisdom that malware is all about 0-days, it’s certainly worth your time to read Danchev’s blogs and the Microsoft report. Irrespective of which operating system you favour personally...

What’s Hot on Infosecurity Magazine?