[German]The biggest risks for computer systems are 0-day vulnerabilities, and not deferred updates. And 0-day vulnerabilities are targeted by cyber criminals. That’s the result of a Microsoft security analysis.
Some facts and figures
These are interesting insights that Matt Miller of the Microsoft Security Response Center (MSRC) just gave at the Blue Hat Conference 2019 in Israel. Miller has published his presentation slides on GitHub, as he announced on Twitter.
Posted the slides from my #bluehatil talk covering trends, challenges, and strategic shifts in the software vulnerability landscape. Questions, comments, and alternative perspectives welcome https://t.co/6IAzb2AaR8
— Matt Miller (@epakskape) 7. Februar 2019
The figures that Matte Miller presented in his lecture are quite interesting. Here are some facts:
- In 2018, 54% of the reported vulnerabilities were fixed by software updates.
- pprox. 85% of the vulnerabilities were in the area of Remote Code Execution (RCE), Elevation of Privilege (EOP) or Information Disclosure (ID).
(Source: Microsoft, Clickt to zoom)
In the above slide, the left graph shows that the number of patches closing vulnerabilities with CVE is increasing year by year. However, the right graph shows that the risk of vulnerabilities being exploited within 30 days after an update being released is steadily decreasing. The number of known exploits is decreasing and has been at 2-3% in recent years.
(Source: Microsoft, Click to size)
Interesting are also the two graphics in the above slide, which deal with 0-day exploits. If a vulnerability is exploited, it is a 0-day vulnerability (no no patch available yet). For the vulnerabilities closed by updates, no exploits are actually detected in the first 30 days after the patch is available – it is not worth it for the exploit developers. Exploits are more likely to be developed for older software for which there are no updates to close known vulnerabilities.
Exploits found in the wild are always addressing 0-day vulnerabilities, because there is no patch yet. And attacks using such 0-day exploits address specific targets (e.g. governments or individuals). So there are no large-scale campaigns to the general public.
Conclusions from this analysis
This, of course, allows some interesting conclusions. It is important to keep software up to date. But for Microsoft products it’s not necessary to install an update immediately after release. That’s a good news, because many updates provided by Microsoft are coming with the risk of collateral damage. So, if administrators postpone the installation of security updates in Windows or other Microsoft products for a few days (up to 30 days), won’t increase the risk significantly.
If serious issues occur after an update release, Microsoft usually withdraws the updates after a few days and releases revised updates again later. If an administrator delays the update installation, he can avoid trouble caused by botched updates. And the risk of an attack does not increase in practical terms. The whole thing is certainly a topic that may be discussed. Woody Leonhard has also given some thought to this topic. How do you see the topic?