Matt Miller’s presentation at Blue Hat yesterday included some startling statistics, based on data gathered by Microsoft’s Security Response Center. The numbers starkly confirm what we’ve been saying for years: The chances of getting hit with malware by delaying Windows and Office patches for up to 30 days is tiny compared to all the other ways of getting clobbered.

The presentation deck for his talk shows how the number of security holes (measured by CVEs) has grown by leaps and bounds — doubling in the past five years — but the number of actual in-the-wild exploits has gone down by half in the past five years.

That’s a testament to both the security community’s sleuthing ability and to Microsoft’s improved security features — DEP, ASLR and improved sandboxing. Those technologies have been around for years, and they’re gradually getting better.

For those of you in the “patch in haste, recover at leisure” crowd, the numbers simply don’t support the drive to install every patch immediately:
cves within 30 days Matt Miller
Over the past few years, only 2% to 3% of patched exploits are seen in an exploit within 30 days of the patch being distributed. Or as Miller makes clear:

It is now uncommon to see a non-zero-day exploit released within 30 days of a patch being available.

More than that, the exploits these days are laser-focused on zero days.