Today we are announcing changes to Microsoft’s Exploitability Index.
Since October 2008, we have used the Exploitability Index to provide customers with valuable exploitability analysis for our security bulletins, and starting Tuesday this information will become even more comprehensive for those who use Microsoft’s latest platforms.
The Exploitability Index assesses the likelihood of functional exploit code being developed for a particular vulnerability. By providing the index information month over month, we’re helping customers prioritize the security updates that matter to them. The Exploitability Index will continue to provide an aggregate exploitability rating across all affected products, and the improvements made to Exploitability Index will now offer additional information to help customers prioritize bulletins, specifically for the most recent platforms, e.g. Windows 7 Service Pack 1 and Office 2010.
For example, the Exploitability Index for CVE-2011-0097, a security issue addressed by MS11-021in the April 2011 release, originally rated a “1 – Consistent Exploit Code Likely”. However, under the previous system, the Exploitability Index did not specifically illustrate that customers using Excel 2010 were at less risk; with Excel 2010, CVE-2011-0097 would rate a “2 – Inconsistent Exploit Code Likely”. In fact, our research has shown that 37 percent of the vulnerabilities addressed since July 2010 have had similar results; the latest platform was either entirely unaffected, or significantly more difficult to exploit.
Maarten Van Horenbeeck, senior security program manager, goes into more depth around the background of Exploitability Index and the value of these improvements in the MSRC blog post: “Exploitability Index Improvements Now Offer Additional Guidance”
Additionally, we’re providing advanced notification on the release of a Critical security bulletin addressing a vulnerability in Windows, and an Important bulletin addressing two vulnerabilities in Microsoft Office. As usual, the bulletin release is scheduled for the second Tuesday of the month, May 10, at approximately 10 a.m. PDT.
For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.
Sr. Response Communications Manager
Microsoft Trustworthy Computing