Are zero-day exploits the new norm?

Research from Microsoft's Matt Miller shows that every actively exploited Windows vulnerability in 2017 was first done using a zero-day attack. Other research shows this trend extends across the IT landscape.

Conventional wisdom in IT security has long taught us that zero-day exploits are rare and that we need to be far more concerned with non-zero-days, which make up the vast majority of attacks. This paradigm was challenged recently by Microsoft security researcher Matt Miller in an awesome presentation he did on the evolution of Microsoft Windows exploits and defenses for Microsoft’s last Blue Hat event on February 7.

Prior to seeing Miller’s presentation, I would have guessed that zero-days were still rare. The new data that Miller had collected declared that zero-days are actually the norm, and non-zero days are getting less common over time. He showed that in 2017, every actively exploited Microsoft vulnerability was first done using a zero-day attack. In 2012, that number was 52 percent and had been as low as 21 percent in 2008.

Needless to say, his findings have generated lots of discussion. If misunderstood, a reader might be forgiven for wondering how important a role patching plays if the vast majority of exploits have no patch. Here’s an excellent example of why you don’t want to take one data point to build a defense.

Most vulnerabilities are not exploited

Even though we are now learning about over 15,000 newly discovered public vulnerabilities a year, most are never actively exploited. According to Miller’s own data in the same presentation, just barely 0.02 percent (12 out of 588 Windows CVEs) were actively exploited. This data is backed up by other risk management companies, such as Kenna Security, which says that only 0.6 percent of all CVEs (not just Microsoft Windows CVEs) are ever exploited in the wild.

To continue reading this article register now

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!