Malicious hackers and vandals are lazy and wait for Microsoft to issue patches before they produce tools to work out how to exploit loopholes in Windows, say experts.
Exploits get written once patches appear
Instead of working it out for themselves, malicious hackers are reverse engineering the patches to better understand the vulnerabilities, said David Aucsmith, who is in charge of technology at Microsoft's security business and technology unit.
In a keynote speech to the E-Crime Congress organised by Britain's National Hi-Tech Crime Unit, Mr Aucsmith said the tools that hackers were producing were getting better and shrinking the time between patches being issued and exploits being widely known.
"We have never had vulnerabilities exploited before the patch was known," he said.
Tools of choice
A good example of this phenomenon, he said, was the recent ASN1 "critical vulnerability" that Microsoft produced a patch for in early February.
The vulnerability was discovered by Eeye Digital Security in July 2003 but no exploits were produced until three days after Microsoft's patch became available.
"Many people reverse engineer the patch and then build the exploit code," said Mr Aucsmith.
Malicious hackers were greatly aided by improvements in tools that did a better job of working out what patches did.
Firms have less time to react to vulnerabilities
He said tools were available that compared patched and unpatched versions of Windows to help vandals and criminals work out what was different.
"The guys who write the tools would not consider themselves to be criminals by any measure," he said, "but the tools are also being picked up by people with criminal intent."
Mr Aucsmith said he could only think of one instance when a vulnerability was exploited before a patch was available.
"It's a myth that hackers find the holes," said Nigel Beighton, who runs a research project for security firm Symantec that attempts to predict which vulnerabilities will be exploited next.
He said in many cases the appearance of a patch was the spur that kicked off activity around a particular vulnerability.
Many different malicious hackers and hacking groups competed to see who could be the first to produce a virus or other program that could work with the known hole, he said.
Mr Aucsmith urged companies to keep up with patches because the time they had to react before hackers released exploits was shrinking.
Newer operating systems were also more secure than older programs such as Windows 95 which, when it was first released, had no security features in it at all.
"Almost all attacks against our software are against the legacy systems," he said.
"If you want more secure software, upgrade."