No doubt a paper would generate a doctorate in computer science.

One My experiences is this. The Pain called Vundo. Was using Avast at the time and this was before Avast knew about Vundo (no definitions yet for Vundo). I learned that day to NEVER truth just one ANTIVIRUS to protect you, as Virus Total did have ONE result that did see the pain. Home Computer and lots of fun getting rid of it. Probably using XP at the time.

Top notch post!  I’ve thought about it a few times today since first reading it.  We’re kind of in new, unchartered waters today with the kernel/side-channel possible exploits (the 40+ drivers is in there too).  This is what intrigues me, while also off-putting and a little scary -all groups, A-D, wouldn’t likely know until it’s too late.   Hypothetically, let’s say 10% manifested in the wild, across the board, all groups until 2018.  Post 2018+/-, will we have accurate data and reference points -or will machines be running NSA, Chinese, Blackhat (you choose) botnets unbeknownst to their users?  We’ve seen a transition to exploiting the hardware side, which ofc is a little scarier given end users have less control.  When Intel’s CEO sells-off his stock a week before the first mention of Spectre/Meltdown we should have known times are changing.  Building the inpentrable fortress is 1billion times more difficult than trying to sniff out exploits.

Back to point: IME is weird to me, anyone else, Bueller?  There’s a lot of money being made in selling new CPUs/hardware! (as well as AV/AM protection, as you noted -but the AV/AM grift is becoming more obsolete/useless against spectre/meltdown, bunk drivers out of the box, e.t.).

An excellent question – and one that’s hard to define.

Best info I have is in my “Knee Jerk” article in Computerworld. https://www.computerworld.com/article/3402718/the-case-against-knee-jerk-installation-of-windows-patches.html

There is one Microsoft study that doesn’t directly address your questions, but hints at them broadly.

? says:

is the “Windows CTF text Vulnerability,” info in post # 1907609 of any concern? or more scare mongering?

https://googleprojectzero.blogspot.com/2019/08/down-rabbit-hole.html

i disable ctfmon

Here’s a theory that would create a paper and form the basis for research that proves or disproves the theory.

There are several types of invasive malware:

• Malware that can be addressed by your anti-virus software. This prevention is easiest to apply by keeping your anti-virus definitions up-to-date.
• Bugs and holes introduced by other software and patches as a result of the knee-jerk reaction described by Woody Leonhardt: https://www.computerworld.com/article/3402718/the-case-against-knee-jerk-installation-of-windows-patches.html
  This type of invasion is harder to prevent and in the event of infection, much harder to cure. It’s also more wide-spread than the first instance. To patch or not to patch? You have some control.
• Private-information hack due to third-party failure to protect such information. In this case, the hack isn’t known until much later, may not be publicly disclosed, and affects a large number of people with dire consequences. You have no control over prevention, and subsequent damage control is extensive.

In the three cases, severity increases while your ability to limit the hack decreases. And that’s where the research enters. Based on a statistical and reasonable sample and analysis, is this hypothesis true? What conclusions may then be drawn?

Also of interest, what is the percentage of each case?