Zero-day vulnerabilities: They’re nothing special, says Microsoft

Zero-day vulnerabilities are the smallest attack vector among all the attack vectors from the most recent Microsoft report
Zero-day vulnerabilities are the smallest attack vector among all the attack vectors from the most recent Microsoft report

Social engineering and AutoRun attacks made up the bulk of exploits companies are seeing on their systems and networks, according to the latest Security Intelligence Report (SIR) released Tuesday by Microsoft. The company collects data from over 600 million systems and billions of web pages in over 100 countries.

Media coverage of zero-day vulnerabilities “gets people’s attention and gives them the sense that they have to do something to protect themselves”, said Jeff Jones, director of Microsoft’s Trustworthy Computing group. However, zero-day vulnerabilities are the smallest attack vector among all the attack vectors from the Microsoft data, he stressed.

Social engineering attacks made up around 45% of attack vectors and more than a third were attributed to abuse of the AutoRun capability, according to SIR data.

AutoRun is a feature that enables media to run on a program automatically without the user having to start the program. “If it can have a positive use, then of course attackers will find a negative way to use it as well. It is a method by which malware can spread”, Jones said. Microsoft has taken steps to “lock down” the AutoRun feature, but it still makes up more than one-third of exploits.

Included in the social engineering category are fake security software, packaging of malicious with non-malicious software, email scams, and phishing attacks.

In fact, phishing attempts targeting social networking sites reached 84% in April and accounted for almost half of all phishing attempts over the period. In total, phishing messages increased significantly over the period, going from 2.8% of total exploits in January to 7.2% in June, according to Microsoft data.

“There is this continuing trend of more and more phishing being injected directly into social networking sites”, Jones told Infosecurity.

The report found that the web was the most common exploit delivery vector. “This is a variation on a trend we have seen for awhile, which is a move away from attacking platforms and more toward application software and the web”, Jones said.

Java was the most frequently targeted software, with many of the exploiting Java vulnerabilities being several years old. “This means that updates for the vulnerabilities were available for well over a year”, he observed.

Jones offered a number of measures companies can take to reduce exposure to the exploits identified in the report: implement security development practices, educate employees and customers about information security, invest in newer products with better protections, and consider using the cloud.

What’s Hot on Infosecurity Magazine?