![](\"https:\/\/images.idgesg.net\/images\/article\/2017\/09\/windows_patch_security5-100734739-large.3x2.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Woody Leonhard| Date: Fri, 08 Feb 2019 08:32:00 -0800<\/strong><\/p>\n Matt Miller\u2019s <\/span>presentation at Blue Hat <\/span><\/a>yesterday included some startling statistics, based on data gathered by Microsoft\u2019s Security Response Center. The numbers starkly confirm what we\u2019ve been saying for years: The chances of getting hit with malware by delaying Windows and Office patches for up to 30 days is tiny compared to all the other ways of getting clobbered.<\/span><\/p>\n The presentation deck for his talk shows how the number of security holes (measured by <\/span>CVEs<\/span><\/a>) has grown by leaps and bounds \u2014 doubling in the past five years \u2014 but the number of actual in-the-wild exploits has gone down by half in the past five years.<\/span><\/p>\n That\u2019s a testament to both the security community\u2019s sleuthing ability and to Microsoft\u2019s improved security features \u2014 DEP, ASLR and improved sandboxing. Those technologies have been around for years, and they\u2019re gradually getting better.<\/span><\/p>\n For those of you in the \u201cpatch in haste, recover at leisure\u201d crowd, the numbers simply don\u2019t support the drive to install every patch immediately:<\/span><\/p>\n Over the past few years, only 2% to 3% of patched exploits are seen in an exploit within 30 days of the patch being distributed. Or as Miller makes clear:<\/span><\/p>\n It is now uncommon to see a non-zero-day exploit released within 30 days of a patch being available.<\/span><\/p>\n More than that, the exploits these days are laser-focused on zero days.<\/span><\/p>\n The malware world\u2019s getting more sophisticated: The bad guys are going for zero days, not for security holes that have already been patched.<\/span><\/p>\n As Miller says:<\/span><\/p>\n If a vulnerability is exploited, it is most likely going to be exploited as zero day.<\/span><\/p>\n For most of us with less-than-NSA-level protection budgets, you can basically bend over and kiss your keister goodbye. One redeeming social value: The really good zero days are hoarded by countries and organizations with their own agendas. They don\u2019t care about you.<\/span><\/p>\n My takeaway is the same as it\u2019s been for years: You need to patch sooner or later, but it makes no sense at all to patch the minute Microsoft pushes something out the automatic update chute.<\/span><\/p>\n Thx, Susan Bradley.<\/span><\/i><\/p>\n Look for more no-nonsense advice on the<\/span><\/i> AskWoody Lounge<\/span><\/i><\/a>.<\/span><\/i><\/p>\n http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":" Credit to Author: Woody Leonhard| Date: Fri, 08 Feb 2019 08:32:00 -0800<\/strong><\/p>\n<\/p>\n