Skip to main content Why Microsoft Security AI-powered cybersecurity Cloud security Data security & governance Identity & network access Privacy & risk management Security for AI Unified SecOps Zero Trust Microsoft Defender Microsoft Entra Microsoft Intune Microsoft Priva Microsoft Purview Microsoft Sentinel Microsoft Security Copilot Microsoft Entra ID (Azure Active Directory) Microsoft Entra Agent ID Microsoft Entra External ID Microsoft Entra ID Governance Microsoft Entra ID Protection Microsoft Entra Internet Access Microsoft Entra Private Access Microsoft Entra Permissions Management Microsoft Entra Verified ID Microsoft Entra Workload ID Microsoft Entra Domain Services Azure Key Vault Microsoft Sentinel Microsoft Defender for Cloud Microsoft Defender XDR Microsoft Defender for Endpoint Microsoft Defender for Office 365 Microsoft Defender for Identity Microsoft Defender for Cloud Apps Microsoft Security Exposure Management Microsoft Defender Vulnerability Management Microsoft Defender Threat Intelligence Microsoft Defender Suite for Business Premium Microsoft Defender for Cloud Microsoft Defender Cloud Security Posture Mgmt Microsoft Defender External Attack Surface Management Azure Firewall Azure Web App Firewall Azure DDoS Protection GitHub Advanced Security Microsoft Defender for Endpoint Microsoft Defender XDR Microsoft Defender for Business Microsoft Intune core capabilities Microsoft Defender for IoT Microsoft Defender Vulnerability Management Microsoft Intune Advanced Analytics Microsoft Intune Endpoint Privilege Management Microsoft Intune Enterprise Application Management Microsoft Intune Remote Help Microsoft Cloud PKI Microsoft Purview Communication Compliance Microsoft Purview Compliance Manager Microsoft Purview Data Lifecycle Management Microsoft Purview eDiscovery Microsoft Purview Audit Microsoft Priva Risk Management Microsoft Priva Subject Rights Requests Microsoft Purview Data Governance Microsoft Purview Suite for Business Premium Microsoft Purview data security capabilities Pricing Services Partners Cybersecurity awareness Customer stories Security 101 Product trials How we protect Microsoft Industry recognition Microsoft Security Insider Microsoft Digital Defense Report Security Response Center Microsoft Security Blog Microsoft Security Events Microsoft Tech Community Documentation Technical Content Library Training & certifications Compliance Program for Microsoft Cloud Microsoft Trust Center Security Engineering Portal Service Trust Portal Microsoft Secure Future Initiative Business Solutions Hub Contact Sales Start free trial Microsoft Security Azure Dynamics 365 Microsoft 365 Microsoft Teams Windows 365 Microsoft AI Azure Space Mixed reality Microsoft HoloLens Microsoft Viva Quantum computing Sustainability Education Automotive Financial services Government Healthcare Manufacturing Retail Find a partner Become a partner Partner Network Microsoft Marketplace Marketplace Rewards Software development companies Blog Microsoft Advertising Developer Center Documentation Events Licensing Microsoft Learn Microsoft Research View Sitemap

When Vulnerabilities are Exploited: the Timing of First Known Exploits for Remote Code Execution Vulnerabilities

By Tim Rains

Tags

Content types

Topics

One of the questions I get asked from time to time is about the days of risk between the time that a vulnerability is disclosed and when we first see active exploitation of it; i.e. how long do organizations have to deploy the update before active attacks are going to happen?  Trustworthy Computing’s Security Science team published new data that helps put the timing of exploitation into perspective, in the recently released Microsoft Security Intelligence Report volume 16.

The Security Science team studied exploits that emerged for the most severe vulnerabilities in Microsoft software between 2006 and 2013. The exploits studied were for vulnerabilities that enable remote code execution. The timing of the release of the first known exploit for each remote code execution vulnerability was examined, and the results were put into three groups:

  • Zero day: the first exploit was discovered in the wild before a security update to address the vulnerability was released
  • Within 30 days: the first exploit was discovered in the wild within 30 days following the release of the security update that addressed the vulnerability
  • After 30 days: the first exploit was discovered in the wild after the first 30 days following the release of the security update that addressed the vulnerability

Figure 1 shows us that there was a 70 percent decline in the total number of remote code execution vulnerabilities that were exploited in Microsoft products between 2010 and 2013. This is likely a result of the continued evolution of security mitigations in Microsoft products, like Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP), that make it much harder and more expensive for attackers to develop reliable exploits for vulnerabilities.

Of those vulnerabilities that do get exploited, the greatest potential risk comes from zero-day exploits, which are discovered in the wild before the publisher of the affected software is able to release a security update to address the vulnerability. Figure 1 illustrates that the number of zero-day exploits detected each year for severe vulnerabilities in Microsoft software decreased from its peak of 18 in 2011 to 13 in 2013. The rapidly shrinking number of remote code execution vulnerabilities that were exploited between 2010 and 2013 is good news, but subsequently zero-day exploits accounted for a larger proportion of the total number of exploits in each of the last three years.

With new remote code execution vulnerabilities becoming harder to find and exploit, as secure coding practices improve across the software industry, developing new exploits has become more expensive and the value of previously undisclosed exploits in the underground economy has increased. This reality provides “black hat” security researchers and exploit developers with a powerful incentive to maximize their own profits by selling exclusive access to a vulnerability and exploit to an attacker before the affected vendor has knowledge of the vulnerability and can issue a security update, and before security software vendors can update their detection signatures.

By contrast, remote code execution exploits that first appear more than 30 days after security update publication have become rare, with only one such instance in 2013. The number of exploits in the “after 30 days” category decreased from the peak of 11 in 2010 to 1 in 2013. A big part of this reduction is likely due to the work Microsoft and others in the industry have done to make it easier for customers to test and deploy updates quickly after release, even in large organizations. As the share of computers receiving updates within the first month of release continues to increase, exploiting older vulnerabilities becomes less profitable for attackers.

The number of remote code execution vulnerabilities exploited within the first 30 days after a security update has been released has also decreased substantially since 2010. In 2010, 42 exploits for severe vulnerabilities were first discovered in the 30 days after security updates for the vulnerabilities were released. But there has been a large reduction in this category of exploits in each subsequent year, 23 in 2011, 10 in 2012, and 6 in 2013.

There is likely a combination of reasons for the positive reduction in exploitation in all three categories First, as I mentioned earlier it is much harder to find and reliably exploit remote code execution vulnerabilities because of all the security mitigations layered into Microsoft software. Second, there has been increased usage of Microsoft Update and Windows Update services over the years, providing faster protection to more systems. Organizations have more sophisticated security update deployment and risk management methodologies supported by better and more efficient deployment technologies. Another contributing factor is the parties that are using the exploits and what is motivating them. You can get more insight into this aspect from an article I recently published called “Who Exploits Vulnerabilities: the Path from Disclosure to Mass Market Exploitation.” This data shows us that of the 16 remote code execution vulnerabilities studied, that were known to be exploited between January 2012 and February 2014, the majority of them (9 of the 16) were initially exploited in targeted attacks against specific targets. Attempted mass exploitation using the same exploits via exploit kits occurred months after the security updates that addressed the vulnerabilities were published and widely distributed.

Summary

  • Effective security mitigations in Windows, and changing vulnerability market economics have contributed to a rapid reduction (70 percent reduction) in the number of remote code execution vulnerabilities that were exploited in Microsoft software over the past three years
  • In 2013 there were 20 remote code execution vulnerabilities in Microsoft software that were known to be exploited, down from 70 in 2010
  • There have been relatively large positive reductions in the number of zero day exploits, vulnerabilities exploited within the first 30 days after a security update is released and vulnerabilities exploited more than 30 days after a security update is released.
    • 13 zero day exploits in 2013, down 28 percent from 2011
    • 6 remote code execution vulnerabilities exploited within 30 days of the security update being released, an 86 percent reduction from 2010
    • 1 remote code execution vulnerability exploited more than 30 days after of the release of a security update, a 91 percent reduction from 2010

Using this Information
One way to interpret this data is that attackers are accelerating their efforts and being more targeted, in an effort to use the vulnerability they have access to before it is disclosed, rapidly addressed across the ecosystem, and security vendors add detection for it to their tools and products. There are a few tools that I will highlight here that will help to mitigate such risks.

  • Use the Microsoft Security Response Center Exploitability Index
  • While the bulletin Severity Ratings (Critical, Important, Moderate, Low) assumes that all vulnerabilities can be successfully exploited all the time, the Exploitability Index focuses on the potential likelihood that a successful exploitation of the vulnerabilities in the bulletin could occur based on currently known exploitation techniques. The Exploitability Index makes an assessment on the likelihood that code will be released that exploits the vulnerability or vulnerabilities addressed in a security bulletin within the first 30 days after that bulletin’s release. For more details see Understanding How to Use the Microsoft Security Response Center Exploitability Index.
  • Run the latest software versions and keep them up-to-date
  • Windows 8.1, Internet Explorer 11, and Office 2013 all take advantage of improved security features that more effectively mitigate techniques that are currently being used to exploit vulnerabilities. Deploying these product versions widely can help mitigate the risk an organization faces from several of the most commonly detected exploits, as Figure 3 illustrates. Using the 64-bit edition of Internet Explorer 11 with Enhanced Protected Mode enabled can also help protect users from a range of Internet-borne threats. Rapid deployment of critical rated vulnerabilities that are likely to be exploited (see Microsoft Security Response Center Exploitability Index above) can help mitigate risk while providing organizations with the flexibility to optimize deployment decisions, as Figure 4 suggests. More details on Figures 3 and 4 can be found in the Microsoft Security Response Center (MSRC) Progress Report 2013.
  • Use Enhanced Mitigation Experience Toolkit (EMET)
  • EMET can be used to protect applications that run on all supported versions of Windows. The features included in EMET are specifically designed to break exploitation techniques that are currently used by attackers. You can get more details on EMET here.

Tim Rains
Director
Trustworthy Computing

Avatar of Tim Rains

Tim Rains

See Tim Rains posts

Related posts

Get started with Microsoft Security

Protect your people, data, and infrastructure with AI-powered, end-to-end security from Microsoft.

Learn how

Connect with us on social

Surface Pro Surface Laptop Surface Laptop Studio 2 Copilot for organizations Copilot for personal use AI in Windows Explore Microsoft products Windows 11 apps Account profile Download Center Microsoft Store support Returns Order tracking Certified Refurbished Microsoft Store Promise Flexible Payments Microsoft in education Devices for education Microsoft Teams for Education Microsoft 365 Education How to buy for your school Educator training and development Deals for students and parents AI for education
Microsoft AI Microsoft Security Dynamics 365 Microsoft 365 Microsoft Power Platform Microsoft Teams Microsoft 365 Copilot Small Business Azure Microsoft Developer Microsoft Learn Support for AI marketplace apps Microsoft Tech Community Microsoft Marketplace Marketplace Rewards Visual Studio Careers About Microsoft Company news Privacy at Microsoft Investors Diversity and inclusion Accessibility Sustainability
English (United States)
Your Privacy Choices Opt-Out Icon Your Privacy Choices
Consumer Health Privacy Sitemap Contact Microsoft Privacy Manage cookies Terms of use Trademarks Safety & eco Recycling About our ads