Malware Majority of malware attacks preventable, says Microsoft

A new report from Microsoft has concluded that the majority of hacking attacks relies on exploiting known security flaws and is hence preventable.  The six-month-long research was conducted by the Trustworthy Computing group at Microsoft, culminating in Volume 11 of the Microsoft Security Intelligence Report that was presented at the RSA Conference Europe 2011.

Given how malware infections that exploit zero-day vulnerabilities tend to get top billing in news headlines, it is inevitable that the average user would consider them as the top problem in IT security.  Zero-day vulnerabilities are undiscovered flaws in computer software that are exploited by hackers and authors of malware to break into or gain control of computer systems.  They are difficult to defend against due to their novel nature, which may result in novice users to experiencing a sense of helplessness.

With less than 1 percent of exploits discovered in the first six months of 2011 being attributed to zero-day vulnerabilities, the report passes the onus back to end-users to keep their personal PCs protected.  And while the report mentions Microsoft's own Microsoft Security Essentials antimalware tool, the implicit warning is that antimalware defenses alone are an insufficient substitute for keeping one's PC up-to-date on security patches and software updates.

To get a feel of how to prioritize in terms of the software patches to install, below is a short list that summarizes some of the most prevalent malware vectors highlighted by the Microsoft report:

  • Operating system vulnerabilities
  • Java runtime environments
  • Adobe Flash
  • Document parser (PDF, Microsoft Office file formats)
  • HTML/JavaScript (Browser)

A quick glance through the list makes it clear that users may want to stop ignoring the prompt to update their Java runtime or disable Windows Update. Moreover, it may also be wise to periodically check that the auto-update mechanism in your favorite Web browser to validate that updates are working properly.

Finally, it may be worth noting that social engineering techniques also plays a big part into tricking users into doing something dangerous, which is probably where security software plays a part to mitigate some of the risk.

Source: Microsoft Security Intelligence Report, Volume 11 (pdf)