Microsoft dismisses zero-day threats

Microsoft has played down the danger posed by zero-day bugs, claiming that only a tiny proportion of malicious exploits target unpatched vulnerabilities.

In its latest Security Intelligence Report, the company said only 1 percent of exploits targeted newly discovered threats, meaning that administrators should focus on social-engineering scams and keeping software up to date to avoid as many threats as possible, rather than stress over zero-days.

"Consider this information when prioritising security practices," said Vinny Gullotto, general manager at the Microsoft Malware Protection Center.

"The Security Intelligence Report provides techniques and guidance to mitigate common infection vectors, and its data helps remind us that we can't forget about the basics. Techniques such as exploiting old vulnerabilities, Win32/Autorun abuse, password cracking and social engineering remain lucrative approaches for criminals."

The company said 90 percent of infections that were attributed to vulnerability exploitation had been addressed by a security update available from the software vendor for more than a year.

According to Microsoft, end-user weaknesses - typically falling for social-engineering techniques - were to blame for almost half of all malware propagation in the first half of the year, while more than a third of all malware was spread through cybercriminal abuse of Win32/Autorun.

Microsoft was also quick to point the finger at other software manufacturers, highlighting findings that showed “the most commonly observed type of exploits in the first half of the year were those targeting vulnerabilities in the Oracle Java Runtime Environment, Java Virtual Machine, and Java SE in the Java Development Kit2".

Microsoft said Java exploits were responsible for between a third and half of all exploits observed in the past year, although the report did admit that exploits targeting the Windows vulnerability CVE-2010-2568 had seen operating system exploits rise sharply in Q2 this year.