Constant security improvements to Microsoft products are finally starting to pay off dividends, a Microsoft security engineer revealed last week.
Speaking at the BlueHat security conference in Israel, Microsoft security engineer Matt Miller said that widespread mass exploitation of security flaws against Microsoft users is now uncommon --the exception to the rule, rather than the norm.
Miller credited the company's efforts in improving its products with the addition of security-centric features such as a firewall on-by-default, Protected View in Office products, DEP (Data Execution Prevention), ASLR (Address Space Layout Randomization), CFG (Control Flow Guard), app sandboxing, and more.
These new features have made it much harder for mundane cybercrime operations to come up with zero-days or reliable exploits for newly patched Microsoft bugs, reducing the number of vulnerabilities exploited at scale.
Mass, non-discriminatory exploitation does eventually occur, but usually long after Microsoft has delivered a fix, and after companies had enough time to test and deploy patches.
Miller said that when vulnerabilities are exploited, they are usually part of targeted attacks, rather than cybercrime-related mass exploitation attacks.
For example, in 2018, 90 percent of all zero-days affecting Microsoft products were exploited part of targeted attacks. These are zero-days found and used by nation-state cyber-espionage groups against strategic targets, rather than vulnerabilities discovered by spam groups or exploit kit operators.
The other 10 percent of zero-day exploitation attempts weren't cyber-criminals trying to make money, but people playing with non-weaponized proof-of-concept code trying to understand what a yet-to-be-patched vulnerability does.
"It is now uncommon to see a non-zero-day exploit released within 30 days of a patch being available," Miller also added.
Exploits for both zero-day and non-zero-day vulnerabilities usually pop up much later because