Matt Miller’s presentation at Blue Hat yesterday included some startling statistics, based on data gathered by Microsoft’s Security Response Center. The numbers starkly confirm what we’ve been saying for years: The chances of getting hit with malware by delaying Windows and Office patches for up to 30 days is tiny compared to all the other ways of getting clobbered.
The presentation deck for his talk shows how the number of security holes (measured by CVEs) has grown by leaps and bounds — doubling in the past five years — but the number of actual in-the-wild exploits has gone down by half in the past five years.
That’s a testament to both the security community’s sleuthing ability and to Microsoft’s improved security features — DEP, ASLR and improved sandboxing. Those technologies have been around for years, and they’re gradually getting better.
For those of you in the “patch in haste, recover at leisure” crowd, the numbers simply don’t support the drive to install every patch immediately:
Over the past few years, only 2% to 3% of patched exploits are seen in an exploit within 30 days of the patch being distributed. Or as Miller makes clear:
It is now uncommon to see a non-zero-day exploit released within 30 days of a patch being available.
More than that, the exploits these days are laser-focused on zero days.
As Miller says:
If a vulnerability is exploited, it is most likely going to be exploited as zero day.
For most of us with less-than-NSA-level protection budgets, you can basically bend over and kiss your keister goodbye. One redeeming social value: The really good zero days are hoarded by countries and organizations with their own agendas. They don’t care about you.
My takeaway is the same as it’s been for years: You need to patch sooner or later, but it makes no sense at all to patch the minute Microsoft pushes something out the automatic update chute.
Thx, Susan Bradley.
Look for more no-nonsense advice on the AskWoody Lounge.