Microsoft Improves Exploitability Index Rating System

Microsoft has a new and improved Exploitability Index Rating System to rate vulnerabilities for both newer and older platforms, in order to help enterprises determine which Windows Updates should be deployed first.

Recently we asked, are IT departments are too slow to patch Windows? Well today Microsoft announced a change to how it will rate exploits in regard to how vulnerabilities will affect newer and older platforms. This is meant to better help IT admins who cannot install all security updates at once.

Microsoft's Exploitability Index rates the "likelihood of functioning exploit code being developed for vulnerabilities addressed by Microsoft security updates within the first thirty days of that update's release." The rating of exploits started in 2008, to help enterprises prioritize which Microsoft security updates need to be deployed first. The ratings are as follows:

  • 1 – Consistent Exploit Code Likely
  • 2 – Inconsistent Exploit Code Likely
  • 3 – Functioning Exploit Code Unlikely

Today, Microsoft Security Response Center announced changes in the Exploitability Index rating system which will be in place for the next set of Windows patches. Starting May 10, 2011, Microsoft intends to "split out the Exploitability Index into a rating for the most recent version of the software, and an aggregate rating for all older versions." In cases where IT cannot install all of updates at the same time, the new and improved Exploitability Index ratings are meant to "assist IT admins in making rational decisions" about what security updates to deploy first.

Microsoft gives this example, "Windows 7 hosts Address Space Layout Randomization (ASLR), a mitigation technique which repositions code fragments in memory, and makes it much harder for an attacker to write a reliable exploit. This functionality is not available by default on older operating systems such as Windows XP." With the new Exploitability Index rating "for Windows 7 could be '2' whereas the rating for all other platforms would be '1'. This more accurately reflects risk to customers that keep their environment updated with the latest product releases."

In addition to the Exploitability Index, Microsoft will includes an assessment of the Denial of Service risk that the vulnerability poses - somewhat like the chances of the dreaded BSOD (blue screen of death) vs. the system hanging. Some remote code execution vulnerabilities might be difficult to exploit, yet an attacker could still crash a computer. Other times, an attacker will not be able to crash the system, but could make the computer become temporarily unresponsive. "For IT administrators, it is important to understand whether the denial of service will be 'permanent,' in which case the program or operating system exits unexpectedly, such that the system will need to be restarted; or 'temporary,' in which case the program or operating merely becomes unresponsive during the attack, but eventually recovers."

To better help prepare customers for the changes, Microsoft provided the example below of the new Exploitability Index Rating System as applied to the CVEs released in the April Bulletin.

This is how Microsoft explains deciphering the new Exploitability Rating: "for CVE-2011-0673, the table indicates that an attacker who attempts to exploit the service, even when failed, may render the system entirely unavailable. For administrators of internet-facing services, this can often be the difference between a highly important, and insignificant vulnerability."

Microsoft is also providing advanced notification "on the release of a Critical security bulletin addressing a vulnerability in Windows, and an Important bulletin addressing two vulnerabilities in Microsoft Office."

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2011 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!