Microsoft downplays significance of zero-day flaws

Only one percent of security vulnerability exploits in the first half of the year were attacks against so-called zero-day flaws, Microsoft has said.

According to the software giant, 99 percent of exploits use common techniques such as social engineering and the targeting of unpatched, known vulnerabilities. A relatively small number of successful attacks are aimed at exploiting vulnerabilities that have not yet been publicly revealed, Microsoft said.

"Familiar threats continue to dominate the threat landscape. Less than one percent of vulnerability attacks were the zero-day term. That is a very small number and we need to keep that in mind," Microsoft Trustworthy Computing general manager Adrienne Hall said at the RSA Conference Europe 2011 in London on Tuesday.

Microsoft released the latest edition, volume 11, of its Security Intelligence Report (SIR) at the conference. SIRv11 shows that 45 percent of all malware propagation in the first half of 2011 was down to user interaction, usually after being tricked into clicking what should not be clicked.

"In addition, more than a third of all malware is spread through cybercriminal abuse of Win32/Autorun, a feature that automatically starts programs when external media, such as a CD or USB, are inserted into a computer," Microsoft said in a statement.

The company added that 90 percent of exploit-related infections targeted vulnerabilities for which the software vendor had made a security update available more than a year before.

"The insight about global online threats, including zero-days, from SIRv11 helps our mutual customers better prioritise defenses to more effectively manage risk,", Brad Arkin, security and privacy chief at Adobe — whose software is a frequent target of attacks — said in the statement. "It also provides a good reminder on the importance of keeping systems up to date with the latest security protections."

Tom Espiner contributed to this report.