It is a good idea to patch critical bugs swiftly, however Microsoft’s data shows that rushing doesn’t necessarily lower the risk to a system.
At last week’s BlueHat security conference, Microsoft security expert Matt Miller gave the low down on when vulnerabilities actually get exploited.
According to Miller's presentation, the vast majority of bugs that do get exploited are when the bug is a zero-day, and it’s become much rarer to find exploits for bugs within 30 days from a patch’s release. In other words, bugs are increasingly attacked when there is no patch available anyway, but those that do have a patch aren’t being attacked immediately.
The share of bugs exploited as zero days versus those exploited within 30 days of a patch has climbed steadily from 21 percent in 2008 to 100 percent in 2017, before dipping to 83 percent in 2018.
Microsoft also found that when a zero day bug is exploited, it’s most likely to be used in a targeted attack that doesn’t affect the majority of Windows users. Criminal exploit kits used for mass attacks, by contrast, haven’t used zero-days at all in the past two years.
This has implications for IT admins and consumers who need to make a decision every month about when to apply Microsoft’s Patch Tuesday fixes. Eventually all bugs should be patched, but the data suggests users could safely wait for a few weeks, which may be better given that patches and major updates can carry their own flaws.
If organizations follow the Australian government’s ‘essential eight’ mitigation strategies, admins should patch or mitigate a system with “extreme risk” vulnerabilities in Office and Windows within 48 hours.
Consumer Windows 10 users meanwhile need to contend with automatic updates, a feature Microsoft introduced because users are generally bad at patching. But not everyone likes their system being updated according to Microsoft's schedule.
But Microsoft’s data suggests there might be less reason to take action immediately when a new critical bug is disclosed.
Miller’s slides also show that while the number of Common Vulnerabilities and Exposures or CVE-tagged bugs increased six-fold since 2006, the percentage of CVEs exploited within 30 days has also steadily declined.
While the data suggests that patching immediately isn’t necessary, Miller attributes the trend towards zero day exploits as a market response to the increased cost of exploiting bugs. This in part is to do with Windows 10 being always up-to-date, but also additional defensive technologies in Windows 10, such as ASLR, DEP, and CFG. Together these have driven up selective use of exploits.
Instead of using expensive zero day exports, cybercriminals have shifted to using malicious macros, phishing, tech support scams and various password attacks, such as credential stuffing.
Another major change in the past decade is pervasive sandboxing, with attackers increasingly looking for sandbox escapes. Since 2014 Microsoft has seen a rise in elevation of privilege flaws that target kernel vulnerabilities and can be the route to a sandbox escape.