When a vulnerability in Windows, Office and other Microsoft products is attacked for the first time, it's likely a zero-day. The number of exploits for already patched vulnerabilities is decreasing, according to Microsoft's Matt Miller who works at the company's Security Response Center.
In a presentation (PDF) on the BlueHat security conference, Miller discusses recent developments in computer security and the measures Microsoft takes to protect its users. Numbers published by Miller show that the number of patched vulnerabilities by Microsoft increases. But also that the number of vulnerabilities that are attacked within 30 days after a patch is released, decreases.
“If a vulnerability is exploited, it is most likely going to be exploited as zero day”, according to Miller. A zero-day is a vulnerability for which no security update is available yet.
“It is now uncommon to see a non-zero-day exploit released within 30 days of a patch being available,” Miller adds.
From the zero-days that Microsoft discovered, the majority was used in targeted attacks. The company also found that outdated software is often targeted.
Miller notes that there are zero-days that are never discovered by Microsoft or other security companies. This makes it hard to exactly understand how many unknown zero-day exploits are making the rounds. But obviously, the more often a zero-day is used in an attack, the more likely it will be discovered.
Miller also states that Microsoft's security measures make it harder for attackers to exploit vulnerabilities. An important measure is, according to Miller, that Windows 10 is always up-to-date, which means there is smaller “return of investment” from attacking patched vulnerabilities. The costs to acquire exploits have also increased which means that in many cases the expected returns are lower than the investment in the exploit.
Therfore, cybercriminals are more often resorting to social engineering, according to Miller. With social engineering, attackers need to trick victims in opening attachments or running applications to infect a system with malware. Such attacks are e.g. phishing attacks or documents where users have to be tricked into enabling malicious macros.
