Are zero-day exploits the new norm?

Conventional wisdom in IT security has long taught us that zero-day exploits are rare and that we need to be far more concerned with non-zero-days, which make up the vast majority of attacks. This paradigm was challenged recently by Microsoft security researcher Matt Miller in an awesome presentation he did on the evolution of Microsoft Windows exploits and defenses for Microsoft’s last Blue Hat event on February 7.

Prior to seeing Miller’s presentation, I would have guessed that zero-days were still rare. The new data that Miller had collected declared that zero-days are actually the norm, and non-zero days are getting less common over time. He showed that in 2017, every actively exploited Microsoft vulnerability was first done using a zero-day attack. In 2012, that number was 52 percent and had been as low as 21 percent in 2008.

Needless to say, his findings have generated lots of discussion. If misunderstood, a reader might be forgiven for wondering how important a role patching plays if the vast majority of exploits have no patch. Here’s an excellent example of why you don’t want to take one data point to build a defense.

Most vulnerabilities are not exploited

Even though we are now learning about over 15,000 newly discovered public vulnerabilities a year, most are never actively exploited. According to Miller’s own data in the same presentation, just barely 0.02 percent (12 out of 588 Windows CVEs) were actively exploited. This data is backed up by other risk management companies, such as Kenna Security, which says that only 0.6 percent of all CVEs (not just Microsoft Windows CVEs) are ever exploited in the wild.

Kenna Security

That’s a huge revelation and one I’ve been pushing hard for years. You don’t have to worry about most announced vulnerabilities, only the ones that have been actively exploited in the wild. That means instead of trying to better patch over 15,000 possible vulnerabilities, you really should focus on perfect patching just 90 vulnerabilities. If you just focus on Microsoft Windows patching, that means you really only need to focus on 12 out of the 600 published Windows vulnerabilities. Which ones? Those with public exploit code released.

This one criterion is the overwhelming marker of whether a patch needs to be applied. Computerworld’s Woody Leonhard, however, makes the case that you don’t have to apply most Microsoft patches immediately when available using the same Matt Miller data.

I’m not sure there is a definitive answer to how long you should wait after a Microsoft patch is available to apply it, but I’m definitely in the sooner camp. The data shows that the majority of risk is not in the immediate days after a patch is released. So, in non-high-risk environments, you can probably safely wait a few days to make sure all the bugs have been found and pushed out by other early adopters.

First exploited doesn’t equate to exploit numbers

I’ve always admired Miller and his presentations, but I think some people are reading too much into some of his data. Miller’s data does show the majority of exploited Windows vulnerabilities are first exploited as a zero-day against a targeted company, which is surprising. However, it doesn’t tell how often that vulnerability is exploited after the zero-day. His data point is very binary. It doesn’t show the risk to everyone else after the zero-day is used for the first time.

Miller’s data only reports on vulnerabilities exploited on day 1 and within the first 30 days. It doesn’t show what happens after the first 30 days, and more importantly, it doesn’t report numbers of exploits in each of those time periods.

For example, suppose the targeted zero-day is used against a single company and 35 devices on the first day, but once the exploit code is known in the wild, it is used against millions of devices over the next few years. Miller’s data is not showing the overall relevance of risk to devices over all time periods, although he and Microsoft could provide that data, and it might back up his other data points. What I do know is that no matter how a new exploit is disclosed (zero-day or from a coordinated patching event), it doesn’t account for the overall risk from that vulnerability.

The cost of zero-days is going up

One counter data point to the popularity of zero-days: In a normal supply-and-demand scenario, as zero-days became more common, they would generate less revenue for the people who make them. The bounty being paid for zero-days is still heading up, however. This would argue that zero-days, at least good zero-days, are become rarer over time.

Vulnerabilities aren’t even close to being your biggest problem

Also, it’s good to remember that majority of all successful malicious data breaches are due to social engineering, not a software vulnerability exploit. The figures vary by year and survey, but it’s been nearly a decade since social engineering, and in particular phishing, overtook software vulnerabilities, as the number-one way badness is executed on a device or network. While we debate zero-days versus non-zero-days, don’t lose sight that patching software and hardware isn’t your biggest problem.

I applaud not only Miller’s data and presentation, but also Microsoft’s incredible work at better Windows security. The company has been on a path to better secure Windows since 1999, and every version delivered since 2003 has pushed the envelope of what can be done with a general-purpose OS. It may not as secure as hyper-security-focused Qubes OS, but Windows is definitely not your parent’s insecure OS anymore.