Announcing the Exploitability Index

At Blackhat we announced an important change to our Security Bulletins becoming effective during the October release.

One of the requests we often heard talking to our customers is, that they would like to get better information on how hard it is to exploit a vulnerability. We will introduce an Exploitability Index by October. Basically we will give you three values on each vulnerability addressed:

  • Consistent Exploit Code Likely. This means analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit that vulnerability. This would make the vulnerability an attractive target for attackers; therefore, it is more likely that exploit code would be created. As such, customers who have reviewed the security bulletin and have determined its applicability within their environment might treat a vulnerability with this value as a higher priority.
  • Inconsistent Exploit Code Likely. This means analysis has shown that exploit code could be created, but an attacker would likely experience inconsistent results, even when targeting the affected product. While an attacker may be able to increase the consistency of results by having better understanding and control of the target environment, the unreliable nature of this attack makes it a less attractive target for attackers. As such, customers who have reviewed the security bulletin and determined its applicability within their environment might treat a vulnerability with this value as an important update; however, if prioritizing against other highly exploitable vulnerabilities, they could choose to rank this lower in their deployment priority.
  • Functioning Exploit Code Unlikely. This means analysis has shown that exploit code which functions successfully is unlikely to be released. While an attacker could create exploit code that could trigger the vulnerability and cause abnormal behavior, it is unlikely that an attacker would be able to create an exploit that could successfully exercise the full impact of the vulnerability. Therefore, once customers have reviewed the security bulletin to determine its applicability within their environment, they might prioritize this update below other vulnerabilities within a release.

I hope that this makes live for you easier when assessing our updates.

If you would like to get more information, read the fact sheet.

As always, your feedback is very welcome

Roger