Microsoft to predict exploitability of its own bugs
Will rate likelihood of attacks on flaws it fixes, improve vendor communication
Computerworld - Microsoft Corp. will soon edge into the crystal-ball business, predicting each month whether newly found bugs in its software will be exploited, the company said Monday. It also spelled out changes to how much information it gives customers and rival security companies about vulnerabilities, and when.
Starting in October, Microsoft will add an "Exploitability Index" to the security bulletins it issues when it releases patches for Windows and its other software. Also in October, said Andrew Cushman, Microsoft's director of security response and outreach, the company will begin providing select third-party security vendors with technical information about each month's vulnerabilities before patches are posted, in order to give those companies a head start in crafting exploit-detection signatures.
Both moves, said Cushman, are in response to the current security landscape. "They're a continuation of our efforts in security, but they're also a reflection of a changing threat environment," he acknowledged, noting that attack code now often hits the street just hours after Microsoft discloses and patches bugs.
"Customers are always asking, 'What's the most important thing to get done?' when we release security updates," said Cushman. "The new Exploitability Index helps with that problem. We're going to give predictions on how exploitable each issue is."
The index, which will be added as a new table to the monthly security bulletins beginning with those scheduled for release on Oct. 14, will rate each bug using a three-step system (listed here in descending order of severity):
- Consistent exploit code likely.
- Inconsistent exploit code likely.
- Functioning exploit code unlikely.
"We think simpler is better," said Cushman when asked why Microsoft didn't use the Common Vulnerability Scoring System, a ranking system used by, among other organizations, the United States Computer Emergency Readiness Team (US-CERT).
Users and company IT professionals will be able to combine the new exploitability rankings with those already offered — in which Microsoft rates the vulnerability's impact using "critical," "important," "moderate" and "low" — to decide which bugs should be patched first. Some administrators, Cushman said, may decide that it makes more sense in their environment to patch a "moderate" threat that is likely to be exploited before fixing one tagged "critical" for which Microsoft thinks attack code is far-fetched.
"It's another piece of information, another piece to the puzzle," said Fred Pinkett, vice president of product management at Core Security Technologies, a Boston-based company noted for its Core Impact penetration-testing application. "I think its usefulness will depend on the implementation and how accurate the predictions are, but it should help emphasize the need to look at exploitability as one of the factors in deciding what to patch."
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Alert Logic for PCI DSS Compliance To achieve PCI DSS compliance, you must identify and remediate all critical vulnerabilities detected during PCI scans. Threat Manager streamlines this process by...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts