It's time for a bit of a reality check regarding the "zero-day" bogeyman. It makes for great headlines, but a new report from Microsoft shows that the frightening menace of the zero-day is more urban myth than reality.
The Microsoft Security Intelligence Report Volume 11 is filled with valuable information about the current state and general trends of information security threats. This report focuses special attention on one particular aspect of security, though--the dreaded "zero-day".
Zero-day threats make for great headlines and evoke a sense of urgency among users and IT admins. I know because I am guilty of spreading the zero-day hype myself on occasion. Obviously, if there is a new "zero-day" we must all scramble to patch the flaw or find some way to protect our systems, right?
You can cool your jets and take a breath Chicken Little; the sky is not falling. The reality is that known vulnerabilities--often vulnerabilities which have been identified and had patches available for months--are a much bigger threat to your network and your PCs than the new proof-of-concept exploit some security researcher developed in a lab this morning.
An entry on the Microsoft Security Response Center blog explains, "The results from our analysis concluded that none of the top malware families in the first half of 2011 were known to be distributed through the use of 0-days, and while some smaller families did take advantage of 0-day vulnerabilities, less than 1 percent of all exploit attempts were against zero-day issues."
Research vs. Exploit
The concept of a zero-day threat originated from attacks circulating in the wild actively exploiting a vulnerability that was unknown prior to the discovery of the propagating threat. Discovering a virus or worm spreading across the Internet exploiting a flaw that nobody knows about is entirely different than a security researcher finding a new security hole.
A security researcher discovering a software vulnerability is not a "zero-day"--that's just called "doing his job". The fact that nobody knew about the potential threat prior to the discovery doesn't make it a "zero-day". The resulting hyperbolic headlines are just marketing for the vendor that discovered the flaw. It is really just shameless self-promotion disguised as an imminent "sky is falling" threat.
It is always good to be aware. If there is a new vulnerability discovered in the operating system or application software you rely on you should be informed, but take the information for what it's worth--and with a grain of salt. There is no need to freak out and take your network security posture to Defcon 1.
It is always better to respond that react. When a medication works a doctor says the patient is "responding well to treatment". When a medication backfires a doctor says "the patient is reacting to the treatment". See the difference?
Consider the vulnerability, and weigh your response accordingly. Are your systems exposed to the potential threat, or are there other security measures in place to mitigate it? Can the threat be removed or minimized by simply disabling a service or feature? What is the potential impact? Is it just a nuisance, or could it lead to system failure and down time?
Take the time to analyze what the threat means to you and your network. Then, you can develop a reasonable response based on real-world conditions rather than a knee-jerk response to fear-mongering headlines.
There is one caveat to consider. While the "zero-day" may not be urgent now, the fact that a security researcher has discovered and disclosed the flaw means that attackers are now aware of it as well. It may have been less of a concern previously, but once the flaw is public the race is on to patch it before malware developers actually do figure out how to exploit it.