Computer infected? Blame yourself, Microsoft report concludes

Zero-day exploits are nerve-racking for IT professionals but are far less dangerous than unpatched older vulnerabilities for which fixes are available, Microsoft says.

A zero-day is a vulnerability for which a patch is not yet available. These accounted for less than 1% of all detected infections in the first half of 2011, according to Microsoft's latest security research report. Instead, Microsoft finds that Java remains the worst cause of infections -- and old Java at that, with patches long since available.

SURVEY: Microsoft patching: Still painful after all these years

"Java exploits were responsible for between one-third and one-half of all exploits observed in each of the four most recent quarters," says the Microsoft Security Intelligence Report Volume 11, released Tuesday. ]. Java attacks include infections from holes in the Java Runtime Environment, Java Virtual Machine, and Java SE in the Java Development Kit.

Like previous versions of this report, Microsoft finds that nearly all infections could have been stopped if the user had been using the latest version of software, or had not clicked on a malware-laced link. Note that the report is limited to instances of attacks that Microsoft can detect through its Malicious Software Removal Tool and its other anti-malware products. Zero-day attacks that it cannot detect would not be calculated in its findings. Using these, the company analyzed security incidents from more than 600 million systems in more than 100 countries for the first half of 2011, many of them Windows PCs owned by consumers or small businesses without dedicated IT staff.

It's not surprising that Microsoft's research validates that Microsoft's newer products are more secure and that its prevention methods are working. Nevertheless, the report also offers insight into the types of preventable infections that PCs still fall prey to.

Second on the list of most popular infections were attacks against the Windows OS, which saw an increase in the second quarter. This was entirely thanks to exploits using a vulnerability in Windows Shell made famous by Stuxnet. Microsoft had patched this hole in August 2010 for all versions of Windows (including WS2008 server core installations).

The next most detected attacks were those that entered through HTML and Javascript, then holes in document readers including Office, followed by vulnerabilities in Adobe Flash.

The overall theme in Microsoft's latest 2011 security threats finds that old is bad, new is good, while social networks are the new breeding ground for successful phishing attacks. Overall, 27 threats represented more than 80% of all malware detected in the period and nearly all of it was preventable through already available patches.

While hackers are forever finding software vulnerabilities, improved software security techniques are making it harder for those attacks to have much effect in the wild, says Jeff Jones, director for Microsoft Trustworthy Computing. Techniques like stack overflow protection, data execution prevention and address space layout randomization limit the severity of infections if they can plant malware on machines.

"Newer is better, and I'm not just saying for Microsoft products. Smartphone makers are building in newer techniques like address space randomization," says Jones, who couldn't resist adding a plug for Windows 7. "If you are running a product that's 10 years old, time to think to moving product more recent than that."

For instance, infection rates are dramatically lower between older and newer versions of Windows, with 10.9% of Windows XP SP3, the current version, succumbing to infections; Vista SP2 32-bit users were hit 5.7% of the time, Windows 7 32-bit 4% and Windows 7 SP1 32-bit a mere 1.8% (with 64-bit infection rates even lower). Microsoft normalizes these statistics, comparing an equal number of computers per version, so the number of XP users vs. Windows 7 users does not taint the findings. Windows 7 SP1 was released in February and was essentially a roll-up release of security and bug fixes, with no added functionality.

Meanwhile, the report says exploits affecting Android and the Open Handset Alliance were on the rise. These were detected when Android users downloaded infected programs to their Windows computers before transferring the software to their devices. The biggest was a Trojan family it calls AndroidOS/DroidDream, "which often masquerades as a legitimate Android application, and can allow a remote attacker to gain access to the mobile device," the report says. Google fixed that hole with a security update published in March; however, detected DroidDream infections continued to rise through the second quarter.

There was some good news. Many of the methods Microsoft has implemented to limit the severity of infections are having some effect, if Microsoft does say so itself. For instance, in February, Microsoft released an update for XP and Vista systems which fixed the Autorun feature from being so easily abused. Windows 7 always included this feature. Autorun is a favorite method to spread Conficker, which still appears as a top infection on enterprise networks, the report says. A more secure Autorun doesn't automatically launch applications on thumb drives and DVDs.

Microsoft reports that Autorun infections decreased by as much as 82%. However, Autorun is still a top prorogation technique, and 43% of malware included Autorun as a propagation method, the report says.

Likewise, with Microsoft's help in taking down the botnets Cutwail and Rustock, spam rates dropped from about 90 billion blocked messages in July 2010 to about 25 billion in June 2011.

Now for the bad news. The report did not indicate that overall infections were down. What hackers are losing in the way of easy drive-by infections and Autorun propagation, they seem to be making up for in phishing via social media, such as Facebook clickjacking attacks. "In April 84% of all phishing was through social networks," Jones says.

As Microsoft sees it, protection against these attacks remains in your hands, by keeping up on patches and fixes.

Julie Bort is the editor of Network World's Microsoft Subnet and Open Source Subnet communities. She writes the Microsoft Update and Source Seeker blogs. Follow Bort on Twitter @Julie188.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags antispamMicrosoftsecurityzero-dayWindowssoftwareoperating systemsintelmalwareintrusion

More about Adobe SystemsCA TechnologiesFacebookGoogleLANMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Julie Bort

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts