Microsoft Security Intelligence Report Volume 11 for the first half of 2011 offers solid evidence to support what security researchers have been shouting feverishly for the last year. This is just more data to confirm that zero-day attacks – while they can certainly cause damage – aren't needed for over 99% of actual attacks. The numbers also show that the top two attacks are user related.
The top attack vector was attacks requiring user interaction coming in at 44.8%, which involved users clicking or visiting malicious links, files, or executables. Phishing is likely the cause for many of the compromises in that first category. The second most prevalent attack vector was AutoRun downloaded via USB devices, which is essentially another user interaction attack, relying on getting a user to connect a USB drive containing malicious software. This means the top two attack vectors require human interaction for a combined total of 70.8%.
Next up was AutoRun over the network attack vector at 17.2 percent, which means when a network share (ie. file server) is compromised to host malware, which propagates when the network share is connected to, eventually exploiting an organization's entire network. The good news it that AutoRun can be disabled which would greatly reduce the USB and Network AutoRun attack vectors, accounting for 43.2% of compromises. It has been a best practice for a few years for administrators to disable AutoRun, so one could argue that it's a human error to have it still enabled on corporate networks.
On a final note, exploits with a patch available for over a year accounted for 3.2% of compromises, compared to 2.4% for patches available for less than a year. Much-talked-about zero-day attacks were responsible for just 0.12% activity. The numbers don't lie; organizations are much more likely to be hit with something they didn't patch instead of a zero-day. This report screams the need to get back to the basics in security, which is to train users and system administrators on how to do their jobs: quit focusing on zero-day so much and instead prioritize known threats. This allows organizations to mitigate well over 90% of their actual risk when it comes to Microsoft-related networks and products.