Zeroing in on Malware

Zeroing In on Malware Propagation Methods

Among the array of technical and non-technical mechanisms that malicious parties have at their disposal for attacking computers and stealing data, the zero-day vulnerability—a software vulnerability that is successfully exploited before the software vendor has published a security update addressing it—is especially significant for security professionals and attackers alike. Zero-day vulnerabilities—according to the conventional wisdom, at least—cannot be effectively defended against, and can arise at any time, leaving even security-conscious IT administrators essentially at their mercy. While technologies like Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) have been introduced to make it more difficult to reliably exploit software, and processes like the Secure Development Lifecycle (SDL) have been shown to reduce the incidence of software vulnerabilities, these vulnerabilities continue to capture the imagination.

The zero-day vulnerability strikes fear in the hearts of consumers and IT professionals, and for good reason—it combines fear of the unknown and an inability to fix the vulnerability, which leaves users and administrators feeling defenseless. It’s no surprise that zero-day vulnerabilities often receive enormous coverage in the press when they arise, and can be treated with the utmost level of urgency by the affected vendor and the vendors’ customers.

Despite this level of concern, there has been little measurement of the zero-day threat in the context of the broader threat landscape. This section of the Microsoft Security Intelligence Report presents such an analysis, along with details of the methodology used, a discussion of the insights gained from it, and some information about what’s been done with those insights.

Click on the image to enlarge.

This analysis approaches these questions in two ways. First, it establishes a method to estimate how malware propagates, including the use of zero-day exploits. Second, it measures the amount of zero-day exploitation in comparison to overall vulnerability exploitation. In other words, what are the relative proportions of exploitation before and after the update?

This analysis was undertaken for a number of reasons. Microsoft is always seeking better statistics about the frequency of zero-day exploitation and the risk customers face from it. Also, Microsoft frequently fields questions about zero-day vulnerabilities from a variety of interested parties, ranging from journalists to IT security professionals. It is important to provide timely and accurate answers for such questions, but also help put them in perspective relative to other threats in the greater security landscape. In a more general sense, it serves everyone—IT and security professionals as well as consumers—to have realistic models of the way malware spreads in today’s world. At a time when effective cooperation and coordination of security efforts across corporate and political borders is as important as it has ever been, it is only through an accurate shared understanding of the threats all users face that IT and security pros can create the most effective defense.

One important goal of this analysis is to give security professionals information they can use to prioritize their concerns and effectively manage risks. Like everyone else, IT departments face constraints of time, budget, personnel, and resources when planning and performing their work. Having accurate, up-to-date information about the threat landscape enables security professionals to effectively prioritize their defenses and help keep their networks, software, and people safe.

Featured Articles


United States Change All Microsoft Sites



Was the information in this article helpful?