Microsoft: Be careful for zero days; deferred patches, not a lot

Matt Miller’s presentation at Blue Hat yesterday included some startling statistics, based mostly on knowledge gathered by Microsoft’s Safety Response Middle. The numbers starkly verify what we’ve been saying for years: The probabilities of getting hit with malware by delaying Home windows and Workplace patches for as much as 30 days is tiny in comparison with all the opposite methods of getting clobbered.

The presentation deck for his discuss exhibits how the variety of safety holes (measured by CVEs) has grown by leaps and bounds — doubling prior to now 5 years — however the variety of precise in-the-wild exploits has gone down by half prior to now 5 years.

That’s a testomony to each the safety neighborhood’s sleuthing potential and to Microsoft’s improved safety features — DEP, ASLR and improved sandboxing. These applied sciences have been round for years, and so they’re regularly getting higher.

For these of you within the “patch in haste, get well at leisure” crowd, the numbers merely don’t assist the drive to put in each patch instantly:

cves within 30 days Matt Miller

Over the previous few years, solely 2% to three% of patched exploits are seen in an exploit inside 30 days of the patch being distributed. Or as Miller makes clear:

It’s now unusual to see a non-zero-day exploit launched inside 30 days of a patch being out there.

Greater than that, the exploits today are laser-focused on zero days.

cves by exploit lag time Matt Miller

The malware world’s getting extra subtle: The dangerous guys are going for zero days, not for safety holes which have already been patched.

As Miller says:

If a vulnerability is exploited, it’s probably going to be exploited as zero day.

For many of us with less-than-NSA-level safety budgets, you possibly can principally bend over and kiss your keister goodbye. One redeeming social worth: The actually good zero days are hoarded by nations and organizations with their very own agendas. They don’t care about you.

My takeaway is similar because it’s been for years: You’ll want to patch eventually, however it is not sensible in any respect to patch the minute Microsoft pushes one thing out the automated replace chute.

Thx, Susan Bradley.

Search for extra no-nonsense recommendation on the AskWoody Lounge.

Leave a Reply

Your email address will not be published. Required fields are marked *