Microsoft History Security Improvements
Image: Matt Miller

Constant improvements in the security of Microsoft products are finally starting to pay off, a Microsoft security engineer revealed last week.

Matt Miller, a security engineer at Microsoft, said at a conference in Israel on security that widespread widespread exploitation of security vulnerabilities against Microsoft users is now uncommon – the exception to the rule rather than the norm.

Miller has attributed to the company's efforts to enhance its products the addition of security-centric features, such as firewall enabled by default, Protected View in Office products, DEP (Data Execution Prevention), ASLR (Randomization of space format), CFG (Control Flow Guard), application sandboxing, etc.

These new features have made it much easier for ordinary cybercrime operations to deliver reliable, zero-day exploits for newly fixed Microsoft bugs, reducing the number of exploited vulnerabilities on a large scale.

Massive, non-discriminatory exploitation eventually occurs, but usually long after Microsoft has provided a fix and companies have had enough time to test and deploy the patches.

Miller said that when vulnerabilities are exploited, they are usually part of targeted attacks, rather than mass exploitation attacks related to cybercrime.

For example, in 2018, 90% of all zero days affecting Microsoft products were exploited as part of targeted attacks. These were discovered and used at zero days by national cyber-espionage groups against strategic targets, rather than by vulnerabilities discovered by spam groups or exploit kit operators.

The remaining 10% of zero-day trial attempts were not cybercriminals who were trying to make money, but players playing with a non-weapon proof of concept code trying to make money. understand what a vulnerability is that has not yet been corrected.

Microsoft's zero-day operation "data-original =" https://zdnet1.cbsistatic.com/hub/i/2019/02/10/09941cde-1f0d-444a-95f1-03bdad8ac947/f6bb107c5f24595f55cdec130c005730/microsoft-zin-exploitation.png
Image: Matt Miller

"It is now unusual to see an exploit other than zero days published within 30 days of the availability of a patch," Miller added.

The exploits for zero-day and other vulnerabilities are usually released much later, as it becomes increasingly tricky to develop exploits for weapons vulnerabilities because of all the additional security features that Microsoft has added to Windows and other products.

The graphs in Miller's presentation perfectly illustrate this new state of affairs. The chart on the left shows Microsoft's increased efforts to fix security vulnerabilities in recent years, with more and more security bugs receiving fixes (and a CVE identifier).

The chart on the right also shows that, despite the growing number of known vulnerabilities in Microsoft products, fewer and fewer of these vulnerabilities are entering the arsenal of hacking and real-life exploit groups within 30 days of a fix. .

Microsoft operating trends "data-original =" https://zdnet1.cbsistatic.com/hub/i/2019/02/10/82154f20-df57-487a-888d-ae9c60447844/9ba273d66f29694a66b839cd59eb1ccc/microsoft-exploitation-trends .png
Image: Matt Miller

This shows that Microsoft's security defenses are doing their job by putting additional obstacles on the way to cybercrime groups.

If a vulnerability is exploited, it will probably be exploited day by day by a threatening player, or by an old security bug for which users and businesses have had time to correct.

Related security coverage: