Image: Matt Miller

Constant security improvements to Microsoft products are finally starting to pay off dividends, a Microsoft security engineer revealed last week.

Speaking at the BlueHat security conference in Israel, Microsoft security engineer Matt Miller said that widespread mass exploitation of security flaws against Microsoft users is now uncommon --the exception to the rule, rather than the norm.

Miller credited the company's efforts in improving its products with the addition of security-centric features such as a firewall on-by-default, Protected View in Office products, DEP (Data Execution Prevention), ASLR (Address Space Layout Randomization), CFG (Control Flow Guard), app sandboxing, and more.

These new features have made it much harder for mundane cybercrime operations to come up with zero-days or reliable exploits for newly patched Microsoft bugs, reducing the number of vulnerabilities exploited at scale.

Mass, non-discriminatory exploitation does eventually occur, but usually long after Microsoft has delivered a fix, and after companies had enough time to test and deploy patches.

Miller said that when vulnerabilities are exploited, they are usually part of targeted attacks, rather than cybercrime-related mass exploitation attacks.

For example, in 2018, 90 percent of all zero-days affecting Microsoft products were exploited part of targeted attacks. These are zero-days found and used by nation-state cyber-espionage groups against strategic targets, rather than vulnerabilities discovered by spam groups or exploit kit operators.

The other 10 percent of zero-day exploitation attempts weren't cyber-criminals trying to make money, but people playing with non-weaponized proof-of-concept code trying to understand what a yet-to-be-patched vulnerability does.

Image: Matt Miller

"It is now uncommon to see a non-zero-day exploit released within 30 days of a patch being available," Miller also added.

Exploits for both zero-day and non-zero-day vulnerabilities usually pop up much later because it's getting trickier and trickier to develop weaponized exploits for vulnerabilities because of all the additional security features that Microsoft has added to Windows and other products.

Two charts in Miller's presentation perfectly illustrate this new state of affairs. The chart on the left shows how Microsoft's efforts into patching security flaws have intensified in recent years, with more and more security bugs receiving fixes (and a CVE identifier).

On the other hand, the chart on the right shows that despite the rising number of known flaws in Microsoft products, fewer and fewer of these vulnerabilities are entering the arsenal of hacking groups and real-world exploitation within the 30 days after a patch.

Image: Matt Miller

This shows that Microsoft's security defenses are doing their job by putting additional hurdles in the path of cybercrime groups.

If a vulnerability is exploited, it is most likely going to be exploited as zero-day by some nation-state threat actor, or as an old security bug for which users and companies have had enough time to patch.

Related security coverage: