Microsoft: ‘Zero-day’ threats are less than 1% of exploits

Zero-day security threats can scare the bejeebers out of the tech industry, when hackers and malware are able to target flaws in software and online services before patches can be released. But a report from Microsoft today says they actually represent a relatively small slice of online threats.

Less than 1 percent of the exploits detected by the company in the first half of this year targeted zero-day vulnerabilities, according to the latest installment of Microsoft’s Security Intelligence Report, issued this morning.

So how are security threats actually spreading? Here’s an excerpt from a Microsoft news release summarizing the report

SIRv11 further revealed that user interaction, typically employing social-engineering techniques, is attributed to nearly half (45 percent) of all malware propagation in the first half of 2011. In addition, more than a third of all malware is spread through cybercriminal abuse of Win32/Autorun, a feature that automatically starts programs when external media, such as a CD or USB, are inserted into a computer. Ninety percent of infections that were attributed to vulnerability exploitation had a security update available from the software vendor for more than a year.

Here’s a chart from the report showing the different types of threats.