Zero-days aren’t the problem — patches are

There’s a widely held view that our world is full of uber hackers who are too brilliant to stop. Thus, we should fear zero-day attacks because they’re our biggest problem.

Nothing could be further from the truth.

Most hackers follow the path created by a very few smart ones — and zero days make up a very small percentage of attacks. It turns out that patching vulnerable software, if implemented consistently, would stop most hackers cold and significantly reduce risk.

Fear of the zero-day exploit

Zero-days, where an attacker exploits a previously unknown vulnerability to attack a customer, aren’t even the majority of bugs found. According to the most recent Microsoft Security Intelligence Report, around 6,300 unique vulnerabilities appeared in 2015. Symantec says that only 54 of them were classified as zero-days, a little less than 1 percent.

If you tracked total attacks from all exploited vulnerabilities, I’m absolutely positive that it would be orders of magnitudes less.

Most zero-days aren’t used against many people because as soon as they pop up with any frequency, they get “discovered” and reported to the software vendor and are added to antimalware updates. A major undiscovered zero day is often worth tens of thousands of dollars — sometimes more than $100,000. Once it’s discovered, the value may drop to nothing.

In other words, if a hacker uses a zero-day too much, it won’t stay a zero-day for long. Hackers need to be “slow and low” with zero-days, and even then, they know the vulnerability will be discovered and patched soon enough.

Zero-day? How about 365-days?

Most exploits involve vulnerabilities that were patched more than a year ago. So why does it take so many people so long to apply the patch?

Every patch management guide recommends that critical patches should be applied within one week of their release. Overall, you’ll be fine if you patch in the first month. Statistics show that the vast majority organizations that suffer exploits are those that don’t patch in the first year or ever patch at all.

Microsoft has long written about how most of its customers are exploited by vulnerabilities that were patched years ago. Microsoft’s Security Intelligence Report lists the most popular exploits; you’ll be hard-pressed to find an exploit discovered as recently as 2015 on that list. Most successful exploits are old. This year, most exploits date back to 2012 to 2010 — and that’s not only a Microsoft software issue.

The Verizon Data Breach Report 2016 revealed that out of all detected exploits, most came from vulnerabilities dating to 2007. Next was 2011. Vulnerabilities dating to 2003 still account for a large portion of hacks of Microsoft software. We’re not talking about being a little late with patching. We’re talking about persistent neglect.

Why people don’t patch quickly

Most operating systems and applications come with self-patching mechanisms that will do their job if you let them. But why do so many people fail to patch?

I think it comes down to a few factors. First, a lot of people — mostly home users — ignore all those update warnings. Some simply don’t want to take the time to patch and keep putting it off. Others are probably unsure whether the patch update notification message is real. How are they supposed to tell the difference between a fake patch warning and a legitimate patch warning? They chicken out and don’t patch.

Another huge component of unapplied patches stems from unlicensed software. There are tens of millions of people using software illegally, and many are fearful that the latest patch will catch the unlicensed software and disable it. This is the reason why, years ago, Microsoft decided not to require a valid license in order to patch an operating system.

Yet another cause: A lot of computers are set up for computer neophytes by friends or hired professionals who never return — and the neophyte doesn’t know enough to do anything. Very likely the vast majority of mom-and-pop computer stores sell computers that will never be patched during their useful lifetimes.

Lastly, I’m sure some computers aren’t patched because the owners or user make the explicit decision not to patch. Most companies I’ve consulted for employ software programs they feel can’t be patched due to operational concerns. This article includes an interview that reveals the average organization takes 18 months to patch some critical vulnerabilities. I know many companies where that time lag stretches to many, many years.

Focused patching

The conventional wisdom is that all critical patches should be applied as soon as reasonably possible. Most guides say within one week, but I think anything within one month is acceptable.

If you have limited resources (who doesn’t?), then at least concentrate on patching the applications with the most exploits successfully used against the computers you manage. The Verizon Data Breach report says that 85 percent of successful hacks used the top 10 exploits. The other 15 percent were caused by more than 900 different exploits. Patch a few critical programs with vulnerabilities, and you’ll eliminate most of the risk.

Patching is easier — so what’s your excuse?

In the past, patching took a long time. Vendors might take weeks, months, or even years to create a patch to a public vulnerability, and customers might take months to apply them.

Back in 2003 when the SQL Slammer worm infected almost every unpatched SQL server on the Internet — more than 75,000 SQL instances in less than 10 minutes! — the Microsoft patch that closed the vulnerability had been available for almost six months.

Kudos to Google for accelerating its patching schedule, to the point where Google software vulnerabilities take a day or less to be patched. Yet even Google faces a significant percentage of users who either take forever to patch or never patch.

The cloud is fixing that problem. The provider patches the application and everyone who uses it is immediately patched — no stragglers.

Microsoft was recently notified of a critical exploit in Office 365 and patched it within seven hours. Imagine, everyone protected quicker than they could read about it. That’s a huge positive for cloud computing.

Meanwhile, however, most of the software you use remains installed on your own servers or clients. Patching demands vigilance, but patching a few applications can reduce most of your risk. You don’t always need to patch in the first day or week. But don’t take years.