News Analysis

Microsoft: Watch out for zero days; deferred patches, not so much

Yesterday’s Blue Hat IL presentation from MSRC shows that, in 2017-18, the threat from zero days far exceeds the threat of delaying patches by 30 days. Moreover, the vast majority of zero days are used in targeted attacks, not in public attacks.

Windows logo with padlocks
Thinkstock/Microsoft

Matt Miller’s presentation at Blue Hat yesterday included some startling statistics, based on data gathered by Microsoft’s Security Response Center. The numbers starkly confirm what we’ve been saying for years: The chances of getting hit with malware by delaying Windows and Office patches for up to 30 days is tiny compared to all the other ways of getting clobbered.

The presentation deck for his talk shows how the number of security holes (measured by CVEs) has grown by leaps and bounds — doubling in the past five years — but the number of actual in-the-wild exploits has gone down by half in the past five years.

That’s a testament to both the security community’s sleuthing ability and to Microsoft’s improved security features — DEP, ASLR and improved sandboxing. Those technologies have been around for years, and they’re gradually getting better.

For those of you in the “patch in haste, recover at leisure” crowd, the numbers simply don’t support the drive to install every patch immediately:

cves within 30 days Matt Miller

Over the past few years, only 2% to 3% of patched exploits are seen in an exploit within 30 days of the patch being distributed. Or as Miller makes clear:

It is now uncommon to see a non-zero-day exploit released within 30 days of a patch being available.

More than that, the exploits these days are laser-focused on zero days.

cves by exploit lag time Matt Miller

The malware world’s getting more sophisticated: The bad guys are going for zero days, not for security holes that have already been patched.

As Miller says:

If a vulnerability is exploited, it is most likely going to be exploited as zero day.

For most of us with less-than-NSA-level protection budgets, you can basically bend over and kiss your keister goodbye. One redeeming social value: The really good zero days are hoarded by countries and organizations with their own agendas. They don’t care about you.

My takeaway is the same as it’s been for years: You need to patch sooner or later, but it makes no sense at all to patch the minute Microsoft pushes something out the automatic update chute.

Thx, Susan Bradley.

Look for more no-nonsense advice on the AskWoody Lounge.

Related:

Woody Leonhard is a columnist at Computerworld and author of dozens of Windows books, including "Windows 10 All-in-One for Dummies."

Copyright © 2019 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon