Don’t worry about zero-days, says Microsoft

Microsoft released its Security Intelligence Report volume 11 (SIRv11), which found that less than 1 percent of exploits in the first half of 2011 were against zero-day vulnerabilities. In contrast, 99 percent of all attacks during the same period distributed malware through familiar techniques, such as social engineering and unpatched vulnerabilities.

SIRv11 provides insight into online threat data between January and June 2011 and analysis of data from Internet services and over 600 million computers from more than 100 geographies around the world. It focuses on software vulnerabilities, software vulnerability exploits, malicious and potentially unwanted software, and security breaches.

SIRv11 revealed that user interaction, typically employing social-engineering techniques, is attributed to nearly half (45 percent) of all malware propagation in the first half of 2011.

In addition, more than a third of all malware is spread through cybercriminal abuse of Win32/Autorun, a feature that automatically starts programs when external media, such as a CD or USB, are inserted into a computer. Threats that misused AutoRun were split between those that spread via removable volumes (26 percent of the total) and those that spread via network volumes (17 percent).

To combat these threats, Microsoft took several steps to help protect customers, including releasing an automatic update for the Windows XP and Windows Vista platforms in February 2011 to make the Autorun feature more secure, as it is by default in Windows 7. Within four months of issuing the update, the number of infections from the most prolific Win32/Autorun-abusing malware families was reduced by almost 60 percent on Windows XP and by 74 percent on Windows Vista in comparison to 2010 infection rates.

Ninety percent of infections that were attributed to vulnerability exploitation had a security update available from the software vendor for more than a year.

Vulnerabilities
Medium and High severity vulnerabilities disclosed in 1H11 were down 6.8 percent and 4.4 percent from 2H10, respectively. Low complexity vulnerabilities—the easiest ones to exploit—were down 41.2 percent from the prior 12-month period.

Exploits
The most commonly observed types of exploits in 1H11 were those targeting vulnerabilities in the Oracle (formerly Sun) Java Runtime Environment (JRE), Java Virtual Machine (JVM), and Java SE in the Java Development Kit (JDK). Detections of exploits targeting Adobe Flash, although uncommon in comparison to some other types of exploits, increased in 2Q11 to more than 40 times the volume seen in 1Q11 because of exploitation of a pair of newly- discovered vulnerabilities.

Exploits that target CVE-2010-2568, a vulnerability in Windows Shell, increased significantly in 2Q11, and were responsible for the entire 2Q11 increase in operating system exploits. The vulnerability was first discovered being used by the family Win32/Stuxnet in mid-2010. Exploits that affected Adobe Acrobat and Adobe Reader accounted for most document format exploits detected in the first half of 2011.

Malware
Win32/OpenCandy, an adware program that might be bundled with certain third-party software installation programs, was the most commonly detected threat family in 1H11 overall, followed by JS/Pornpop (a detection for specially crafted JavaScript-enabled objects that attempt to display pop-under advertisements in users’ web browsers) and Win32/Hotbar (adware that installs a browser toolbar that displays targeted pop-up ads based on its monitoring of web browsing activities).

Detections of Win32/FakeRean increased more than 300 percent from 1Q11 to 2Q11 to become the most commonly detected rogue security software family of the second quarter.

Malware families that are significantly more prevalent on domain-joined computers include Win32/Conficker and the potentially unwanted software program Win32/RealVNC. RealVNC is a program that enables a computer to be controlled remotely, similar to Remote Desktop Services. It has a number of legitimate uses, but attackers have also used it to gain control of users’ computers for malicious purposes.

Email threats
The volume of blocked spam decreased dramatically over the past 12 months – from 89.2 billion messages in July 2010 to 25.0 billion in June 2011 – primarily because of takedowns of the Cutwail and Rustock botnets.

Advertisements for nonsexual pharmaceutical products (28.0 percent of the total) and nonpharmaceutical product advertisements (17.2 percent) accounted for the majority of the blocked spam messages.

Phishing
Phishers have traditionally targeted financial sites more than other types of sites, but the largest share of phishing impressions in 1H11 was for sites that targeted social networks. Overall, impressions that targeted social networks accounted for 47.8 percent of all impressions in 1H11, followed by those that targeted financial institutions at 35.0 percent.

By contrast, phishing sites that targeted financial institutions accounted for an average of 78.3 percent of active phishing sites tracked each month in 1H11, compared to just 5.4 percent for social networks. Financial institutions targeted by phishers can number in the hundreds, and customized phishing approaches are required for each one. The number of popular social networking sites is much smaller, so phishers who target social networks can effectively target many more people per site.

Lesser targets include users of online services, gaming sites and e-commerce sites.

What to do
To help protect networks and systems, Microsoft advocates a multifaceted approach to managing risk:

  • Build products and services with security in mind. Microsoft and other vendors, such as Adobe Systems Inc., have invested in increased security measures, such as security-by-design, which are having an impact. Industry-disclosed vulnerabilities have dropped approximately 24 percent since July 2010 and have been trending down during the past five years.
  • Educate customers and employees. Companies should concentrate on educating employees on their responsibility to security and back that up by developing and enforcing companywide security policies in areas such as passwords.
  • Upgrade to the latest products and services. Making the move to the most current products and services helps increases protection against the most prevalent online threats. Windows Server 2008 R2 was 32 percent less likely to be infected than Windows Server 2003 SP2.
  • Consider cloud services. In a cloud-computing environment, the cloud vendor manages many of the security processes and procedures required to keep a system up to date, including the installation of security updates. Businesses and consumers constrained in managing the security of their computing environment can leverage cloud services to help offload portions of their security management.

“We encourage people to consider this information when prioritizing their security practices,” said Vinny Gullotto, general manager, Microsoft Malware Protection Center. “SIRv11 provides techniques and guidance to mitigate common infection vectors, and its data helps remind us that we can’t forget about the basics. Techniques such as exploiting old vulnerabilities, Win32/Autorun abuse, password cracking and social engineering remain lucrative approaches for criminals.”

To learn more about these threats in greater detail, download Microsoft’s Security Intelligence Report volume 11 here.