To patch now or defer? Microsoft finds way more bugs exploited as zero days than patched bugs

Credit: ID 128782397 © Alexander Yakimov |

It is a good idea to patch critical bugs swiftly, however Microsoft’s data shows that rushing doesn’t necessarily lower the risk to a system. 

At last week’s BlueHat security conference, Microsoft security expert Matt Miller gave the low down on when vulnerabilities actually get exploited.

According to Miller’s presentation, the vast majority of bugs that do get exploited are when the bug is a zero-day, and it’s become much rarer to find exploits for bugs within 30 days from a patch’s release. In other words, bugs are increasingly attacked when there is no patch available anyway, but those that do have a patch aren’t being attacked immediately.  

The share of bugs exploited as zero days versus those exploited within 30 days of a patch has climbed steadily from 21 percent in 2008 to 100 percent in 2017, before dipping to 83 percent in 2018. 

Microsoft also found that when a zero day bug is exploited, it’s most likely to be used in a targeted attack that doesn’t affect the majority of Windows users. Criminal exploit kits used for mass attacks, by contrast, haven’t used zero-days at all in the past two years.