Microsoft to predict exploitability of its own bugs
Will rate likelihood of attacks on flaws it fixes, improve vendor communication
Computerworld - Microsoft Corp. will soon edge into the crystal-ball business, predicting each month whether newly found bugs in its software will be exploited, the company said Monday. It also spelled out changes to how much information it gives customers and rival security companies about vulnerabilities, and when.
Starting in October, Microsoft will add an "Exploitability Index" to the security bulletins it issues when it releases patches for Windows and its other software. Also in October, said Andrew Cushman, Microsoft's director of security response and outreach, the company will begin providing select third-party security vendors with technical information about each month's vulnerabilities before patches are posted, in order to give those companies a head start in crafting exploit-detection signatures.
Both moves, said Cushman, are in response to the current security landscape. "They're a continuation of our efforts in security, but they're also a reflection of a changing threat environment," he acknowledged, noting that attack code now often hits the street just hours after Microsoft discloses and patches bugs.
"Customers are always asking, 'What's the most important thing to get done?' when we release security updates," said Cushman. "The new Exploitability Index helps with that problem. We're going to give predictions on how exploitable each issue is."
The index, which will be added as a new table to the monthly security bulletins beginning with those scheduled for release on Oct. 14, will rate each bug using a three-step system (listed here in descending order of severity):
- Consistent exploit code likely.
- Inconsistent exploit code likely.
- Functioning exploit code unlikely.
"We think simpler is better," said Cushman when asked why Microsoft didn't use the Common Vulnerability Scoring System, a ranking system used by, among other organizations, the United States Computer Emergency Readiness Team (US-CERT).
Users and company IT professionals will be able to combine the new exploitability rankings with those already offered — in which Microsoft rates the vulnerability's impact using "critical," "important," "moderate" and "low" — to decide which bugs should be patched first. Some administrators, Cushman said, may decide that it makes more sense in their environment to patch a "moderate" threat that is likely to be exploited before fixing one tagged "critical" for which Microsoft thinks attack code is far-fetched.
"It's another piece of information, another piece to the puzzle," said Fred Pinkett, vice president of product management at Core Security Technologies, a Boston-based company noted for its Core Impact penetration-testing application. "I think its usefulness will depend on the implementation and how accurate the predictions are, but it should help emphasize the need to look at exploitability as one of the factors in deciding what to patch."
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts