Zeroing In on Malware Propagation Methods
Among the array of technical and non-technical mechanisms that malicious parties have at their disposal for attacking computers and stealing data, the zero-day vulnerabilityâ€”a software vulnerability that is successfully exploited before the software vendor has published a security update addressing itâ€”is especially significant for security professionals and attackers alike. Zero-day vulnerabilitiesâ€”according to the conventional wisdom, at leastâ€”cannot be effectively defended against, and can arise at any time, leaving even security-conscious IT administrators essentially at their mercy. While technologies like Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) have been introduced to make it more difficult to reliably exploit software, and processes like the Secure Development Lifecycle (SDL) have been shown to reduce the incidence of software vulnerabilities, these vulnerabilities continue to capture the imagination.
The zero-day vulnerability strikes fear in the hearts of consumers and IT professionals, and for good reasonâ€”it combines fear of the unknown and an inability to fix the vulnerability, which leaves users and administrators feeling defenseless. Itâ€™s no surprise that zero-day vulnerabilities often receive enormous coverage in the press when they arise, and can be treated with the utmost level of urgency by the affected vendor and the vendorsâ€™ customers.
Despite this level of concern, there has been little measurement of the zero-day threat in the context of the broader threat landscape. This section of the Microsoft Security Intelligence Report presents such an analysis, along with details of the methodology used, a discussion of the insights gained from it, and some information about whatâ€™s been done with those insights.
This analysis approaches these questions in two ways. First, it establishes a method to estimate how malware propagates, including the use of zero-day exploits. Second, it measures the amount of zero-day exploitation in comparison to overall vulnerability exploitation. In other words, what are the relative proportions of exploitation before and after the update?
This analysis was undertaken for a number of reasons. Microsoft is always seeking better statistics about the frequency of zero-day exploitation and the risk customers face from it. Also, Microsoft frequently fields questions about zero-day vulnerabilities from a variety of interested parties, ranging from journalists to IT security professionals. It is important to provide timely and accurate answers for such questions, but also help put them in perspective relative to other threats in the greater security landscape. In a more general sense, it serves everyoneâ€”IT and security professionals as well as consumersâ€”to have realistic models of the way malware spreads in todayâ€™s world. At a time when effective cooperation and coordination of security efforts across corporate and political borders is as important as it has ever been, it is only through an accurate shared understanding of the threats all users face that IT and security pros can create the most effective defense.
One important goal of this analysis is to give security professionals information they can use to prioritize their concerns and effectively manage risks. Like everyone else, IT departments face constraints of time, budget, personnel, and resources when planning and performing their work. Having accurate, up-to-date information about the threat landscape enables security professionals to effectively prioritize their defenses and help keep their networks, software, and people safe.