Despite the headlines that zero-day exploits make, they are far less dangerous in real-world terms than mundane unpatched security vulnerabilities, says Microsoft (NASDAQ: MSFT). The company took this stance in its Microsoft Security Intelligence Report Volume 11, which was released yesterday. 

Interestingly, Microsoft blames Java for the worst infections. The report points to the widespread problem of outdated Java runtime environments, for which patches have long been made available. Other major culprits include HTML and Javascript, as well as security flaws in document readers such as Office. Not surprisingly, vulnerabilities in Adobe Flash are also cited as a popular vector.

The more than 100-page report highlights how 44 percent of attacks require some form of user interaction "distinguished from typical use of the computer." This suggests, to me, that some amount of user training--or the lack of--may ultimately impact malware infection rates in the enterprise. Other vectors of malware infection include exploiting the AutoRun feature in Windows over a USB storage device (26 percent) or over the network (17.2 percent). Beyond that, it is clear that system administrators may benefit more from a fastidious software update and patching regime than worrying about the next big attack. 

You can download the full report here (pdf).

For more on this story:
- check out this article at Network World

Related Articles:
Patch released for reverse proxy flaw in Apache
Patch Tuesday October to resolve flaws in multiple versions of IE, Windows
HTC working on solution to Android smartphone vulnerability
Microsoft Security Essentials nukes Google Chrome in erroneous update