Microsoft to predict exploitability of its own bugs

Computerworld - Microsoft Corp. will soon edge into the crystal-ball business, predicting each month whether newly found bugs in its software will be exploited, the company said Monday. It also spelled out changes to how much information it gives customers and rival security companies about vulnerabilities, and when.

Starting in October, Microsoft will add an "Exploitability Index" to the security bulletins it issues when it releases patches for Windows and its other software. Also in October, said Andrew Cushman, Microsoft's director of security response and outreach, the company will begin providing select third-party security vendors with technical information about each month's vulnerabilities before patches are posted, in order to give those companies a head start in crafting exploit-detection signatures.

Both moves, said Cushman, are in response to the current security landscape. "They're a continuation of our efforts in security, but they're also a reflection of a changing threat environment," he acknowledged, noting that attack code now often hits the street just hours after Microsoft discloses and patches bugs.

"Customers are always asking, 'What's the most important thing to get done?' when we release security updates," said Cushman. "The new Exploitability Index helps with that problem. We're going to give predictions on how exploitable each issue is."

The index, which will be added as a new table to the monthly security bulletins beginning with those scheduled for release on Oct. 14, will rate each bug using a three-step system (listed here in descending order of severity):

• Consistent exploit code likely.
• Inconsistent exploit code likely.
• Functioning exploit code unlikely.

"We think simpler is better," said Cushman when asked why Microsoft didn't use the Common Vulnerability Scoring System, a ranking system used by, among other organizations, the United States Computer Emergency Readiness Team (US-CERT).

Users and company IT professionals will be able to combine the new exploitability rankings with those already offered — in which Microsoft rates the vulnerability's impact using "critical," "important," "moderate" and "low" — to decide which bugs should be patched first. Some administrators, Cushman said, may decide that it makes more sense in their environment to patch a "moderate" threat that is likely to be exploited before fixing one tagged "critical" for which Microsoft thinks attack code is far-fetched.

"It's another piece of information, another piece to the puzzle," said Fred Pinkett, vice president of product management at Core Security Technologies, a Boston-based company noted for its Core Impact penetration-testing application. "I think its usefulness will depend on the implementation and how accurate the predictions are, but it should help emphasize the need to look at exploitability as one of the factors in deciding what to patch."