Microsoft sees value in exploitability index
Microsoft announced early results last week of its attempt to focus customers on the most pernicious vulnerabilities through its exploitability index, a three-grade measure of the likelihood of a vulnerability being exploited.
The software giant did an analysis of its October patch release, one month after releasing a dozen fixes for 21 vulnerabilities. The company found that its researchers correctly predicted that four of the flaws, which were assigned a rating of "functioning exploit code unlikely," would not yet be exploited. Of the nine vulnerabilities that the company predicted would be exploited, four have had working exploit code released in the first month, Mike Reavey, group manager for Microsoft"s Security Response Center, said in a blog post on Thursday.
"Some customers express(ed) concern that ... we’d raise the amount of exploit code present in the ecosystem by highlighting the issues most likely to have exploit code developed," Reavey stated in the post, stressing that it appears that those customers" fears have not been realized. "We haven’t told customers to worry less about a given vulnerability when in fact, they should have. In fact, it may even be that the increased attention led to faster deployments to protect against these vulnerabilities and that in turn made these less attractive."
Last week, Microsoft issued two patches to fix four flaws in its Windows operating system, closing holes in the core library that handles extensible markup language (XML) and in the code that handles internal-network data. October"s Patch Tuesday had many more flaws to patch, including critical issues in the company"s Active Directory software, Internet Explorer software, Host Integration Server (HIS) software and Microsoft Office Excel.
The first four issues in the October patch release to be exploited had code released in the first two weeks, following Patch Tuesday, Reavey stated. Microsoft announced its exploitability index at the Black Hat Briefings security conference in Las Vegas in August.