Computer infected? Blame yourself, Microsoft report concludes

Zero-day exploits are nerve-racking for IT professionals but are far less dangerous than unpatched older vulnerabilities for which fixes are available, Microsoft says.

A zero-day is a vulnerability for which a patch is not yet available. These accounted for less than 1% of all detected infections in the first half of 2011, according to Microsoft's latest security research report. Instead, Microsoft finds that Java remains the worst cause of infections -- and old Java at that, with patches long since available.

SURVEY: Microsoft patching: Still painful after all these years

"Java exploits were responsible for between one-third and one-half of all exploits observed in each of the four most recent quarters," says the Microsoft Security Intelligence Report Volume 11, released Tuesday. ]. Java attacks include infections from holes in the Java Runtime Environment, Java Virtual Machine, and Java SE in the Java Development Kit.

Like previous versions of this report, Microsoft finds that nearly all infections could have been stopped if the user had been using the latest version of software, or had not clicked on a malware-laced link. Note that the report is limited to instances of attacks that Microsoft can detect through its Malicious Software Removal Tool and its other anti-malware products. Zero-day attacks that it cannot detect would not be calculated in its findings. Using these, the company analyzed security incidents from more than 600 million systems in more than 100 countries for the first half of 2011, many of them Windows PCs owned by consumers or small businesses without dedicated IT staff.

It's not surprising that Microsoft's research validates that Microsoft's newer products are more secure and that its prevention methods are working. Nevertheless, the report also offers insight into the types of preventable infections that PCs still fall prey to.

Second on the list of most popular infections were attacks against the Windows OS, which saw an increase in the second quarter. This was entirely thanks to exploits using a vulnerability in Windows Shell made famous by Stuxnet. Microsoft had patched this hole in August 2010 for all versions of Windows (including WS2008 server core installations).

The next most detected attacks were those that entered through HTML and Javascript, then holes in document readers including Office, followed by vulnerabilities in Adobe Flash.

The overall theme in Microsoft's latest 2011 security threats finds that old is bad, new is good, while social networks are the new breeding ground for successful phishing attacks. Overall, 27 threats represented more than 80% of all malware detected in the period and nearly all of it was preventable through already available patches.

While hackers are forever finding software vulnerabilities, improved software security techniques are making it harder for those attacks to have much effect in the wild, says Jeff Jones, director for Microsoft Trustworthy Computing. Techniques like stack overflow protection, data execution prevention and address space layout randomization limit the severity of infections if they can plant malware on machines.

"Newer is better, and I'm not just saying for Microsoft products. Smartphone makers are building in newer techniques like address space randomization," says Jones, who couldn't resist adding a plug for Windows 7. "If you are running a product that's 10 years old, time to think to moving product more recent than that."

For instance, infection rates are dramatically lower between older and newer versions of Windows, with 10.9% of Windows XP SP3, the current version, succumbing to infections; Vista SP2 32-bit users were hit 5.7% of the time, Windows 7 32-bit 4% and Windows 7 SP1 32-bit a mere 1.8% (with 64-bit infection rates even lower). Microsoft normalizes these statistics, comparing an equal number of computers per version, so the number of XP users vs. Windows 7 users does not taint the findings. Windows 7 SP1 was released in February and was essentially a roll-up release of security and bug fixes, with no added functionality.

Meanwhile, the report says exploits affecting Android and the Open Handset Alliance were on the rise. These were detected when Android users downloaded infected programs to their Windows computers before transferring the software to their devices. The biggest was a Trojan family it calls AndroidOS/DroidDream, "which often masquerades as a legitimate Android application, and can allow a remote attacker to gain access to the mobile device," the report says. Google fixed that hole with a security update published in March; however, detected DroidDream infections continued to rise through the second quarter.

There was some good news. Many of the methods Microsoft has implemented to limit the severity of infections are having some effect, if Microsoft does say so itself. For instance, in February, Microsoft released an update for XP and Vista systems which fixed the Autorun feature from being so easily abused. Windows 7 always included this feature. Autorun is a favorite method to spread Conficker, which still appears as a top infection on enterprise networks, the report says. A more secure Autorun doesn't automatically launch applications on thumb drives and DVDs.

Microsoft reports that Autorun infections decreased by as much as 82%. However, Autorun is still a top prorogation technique, and 43% of malware included Autorun as a propagation method, the report says.

Likewise, with Microsoft's help in taking down the botnets Cutwail and Rustock, spam rates dropped from about 90 billion blocked messages in July 2010 to about 25 billion in June 2011.

Now for the bad news. The report did not indicate that overall infections were down. What hackers are losing in the way of easy drive-by infections and Autorun propagation, they seem to be making up for in phishing via social media, such as Facebook clickjacking attacks. "In April 84% of all phishing was through social networks," Jones says.

As Microsoft sees it, protection against these attacks remains in your hands, by keeping up on patches and fixes.

Julie Bort is the editor of Network World's Microsoft Subnet and Open Source Subnet communities. She writes the Microsoft Update and Source Seeker blogs. Follow Bort on Twitter @Julie188.

Read more about wide area network in Network World's Wide Area Network section.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securityMicrosoftmalwareinteloperating systemssoftwareWindowsintrusionantispamzero-day

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Julie Bort

Network World
Show Comments



Victorinox Werks Professional Executive 17 Laptop Case

Learn more >



Back To Business Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?