A Microsoft study presented at Blue Hat IL has turned on its head the conventional wisdom regarding patching PCs we have all been indoctrinated in over the last 20 years.
That conventional wisdom is that, while new patches carry a risk of causing issues, the risk of delaying patches are a lot worse, due to hackers releasing exploits based on reverse engineered patches.
That may have been true many years ago, but it appears these days PC security has improved to such a degree that it is just too difficult for hackers to exploit even unpatched PCs.
The study found that, based on data gathered by Microsoft’s Security Response Center, in the 2017-2018 period, only 2% to 3% of patched exploits are seen in an exploit within 30 days of the patch being distributed.
In fact, the vast majority of exploits were based on Zero Days ie. newly discovered exploits for which no patch exist yet.
They also revealed while, due to the hard work of security engineers, the number of known exploits has doubled in the last 5 years, the number of actual in-the-wild exploits has gone down by half in the past five years. Microsoft’s Matt Miller notes that if a vulnerability is exploited, it is most likely going to be exploited as Zero-day.
Fortunately, most governments are hoarding Zero-day vulnerabilities for spear-fishing directed attacks, and not wasting them by releasing them into the wild.
The study may be behind Microsoft’s recent move to allow Windows 10 Home users to delay forced updates for 7 days, but I believe Microsoft could go even further, by giving Windows users at least 4-5 occasions to delay an update a few weeks before forcing an update, after sufficient notice.
Of course, a bit like vaccination, it could be that hackers do not bother reverse engineering patches because most vulnerable PCs have already had force updates, rending their efforts a waste of time.