Conventional wisdom in IT security has long taught us that zero-day exploits are rare and that we need to be far more concerned with non-zero-days, which make up the vast majority of attacks. This paradigm was challenged recently by Microsoft security researcher Matt Miller in an awesome presentation he did on the evolution of Microsoft Windows exploits and defenses for Microsoft\u2019s last Blue Hat event on February 7.Prior to seeing Miller\u2019s presentation, I would have guessed that zero-days were still rare. The new data that Miller had collected declared that zero-days are actually the norm, and non-zero days are getting less common over time. He showed that in 2017, every actively exploited Microsoft vulnerability was first done using a zero-day attack. In 2012, that number was 52 percent and had been as low as 21 percent in 2008.Needless to say, his findings have generated lots of discussion. If misunderstood, a reader might be forgiven for wondering how important a role patching plays if the vast majority of exploits have no patch. Here\u2019s an excellent example of why you don\u2019t want to take one data point to build a defense.Most vulnerabilities are not exploitedEven though we are now learning about over 15,000 newly discovered public vulnerabilities a year, most are never actively exploited. According to Miller\u2019s own data in the same presentation, just barely 0.02 percent (12 out of 588 Windows CVEs) were actively exploited. This data is backed up by other risk management companies, such as Kenna Security, which says that only 0.6 percent of all CVEs (not just Microsoft Windows CVEs) are ever exploited in the wild. Kenna SecurityThat\u2019s a huge revelation and one I\u2019ve been pushing hard for years. You don\u2019t have to worry about most announced vulnerabilities, only the ones that have been actively exploited in the wild. That means instead of trying to better patch over 15,000 possible vulnerabilities, you really should focus on perfect patching just 90 vulnerabilities. If you just focus on Microsoft Windows patching, that means you really only need to focus on 12 out of the 600 published Windows vulnerabilities. Which ones? Those with public exploit code released.This one criterion is the overwhelming marker of whether a patch needs to be applied. Computerworld\u2019s Woody Leonhard, however, makes the case that you don\u2019t have to apply most Microsoft patches immediately when available using the same Matt Miller data.I\u2019m not sure there is a definitive answer to how long you should wait after a Microsoft patch is available to apply it, but I\u2019m definitely in the sooner camp. The data shows that the majority of risk is not in the immediate days after a patch is released. So, in non-high-risk environments, you can probably safely wait a few days to make sure all the bugs have been found and pushed out by other early adopters.First exploited doesn\u2019t equate to exploit numbersI\u2019ve always admired Miller and his presentations, but I think some people are reading too much into some of his data. Miller\u2019s data does show the majority of exploited Windows vulnerabilities are first exploited as a zero-day against a targeted company, which is surprising. However, it doesn\u2019t tell how often that vulnerability is exploited after the zero-day. His data point is very binary. It doesn\u2019t show the risk to everyone else after the zero-day is used for the first time.Miller\u2019s data only reports on vulnerabilities exploited on day 1 and within the first 30 days. It doesn\u2019t show what happens after the first 30 days, and more importantly, it doesn\u2019t report numbers of exploits in each of those time periods.For example, suppose the targeted zero-day is used against a single company and 35 devices on the first day, but once the exploit code is known in the wild, it is used against millions of devices over the next few years. Miller\u2019s data is not showing the overall relevance of risk to devices over all time periods, although he and Microsoft could provide that data, and it might back up his other data points. What I do know is that no matter how a new exploit is disclosed (zero-day or from a coordinated patching event), it doesn\u2019t account for the overall risk from that vulnerability.The cost of zero-days is going upOne counter data point to the popularity of zero-days: In a normal supply-and-demand scenario, as zero-days became more common, they would generate less revenue for the people who make them. The bounty being paid for zero-days is still heading up, however. This would argue that zero-days, at least good zero-days, are become rarer over time.Vulnerabilities aren\u2019t even close to being your biggest problemAlso, it\u2019s good to remember that majority of all successful malicious data breaches are due to social engineering, not a software vulnerability exploit. The figures vary by year and survey, but it\u2019s been nearly a decade since social engineering, and in particular phishing, overtook software vulnerabilities, as the number-one way badness is executed on a device or network. While we debate zero-days versus non-zero-days, don\u2019t lose sight that patching software and hardware isn\u2019t your biggest problem.I applaud not only Miller\u2019s data and presentation, but also Microsoft\u2019s incredible work at better Windows security. The company has been on a path to better secure Windows since 1999, and every version delivered since 2003 has pushed the envelope of what can be done with a general-purpose OS. It may not as secure as hyper-security-focused Qubes OS, but Windows is definitely not your parent\u2019s insecure OS anymore.