Microsoft to predict exploitability of its own bugs
Will rate likelihood of attacks on flaws it fixes, improve vendor communication
Computerworld - Microsoft Corp. will soon edge into the crystal-ball business, predicting each month whether newly found bugs in its software will be exploited, the company said Monday. It also spelled out changes to how much information it gives customers and rival security companies about vulnerabilities, and when.
Starting in October, Microsoft will add an "Exploitability Index" to the security bulletins it issues when it releases patches for Windows and its other software. Also in October, said Andrew Cushman, Microsoft's director of security response and outreach, the company will begin providing select third-party security vendors with technical information about each month's vulnerabilities before patches are posted, in order to give those companies a head start in crafting exploit-detection signatures.
Both moves, said Cushman, are in response to the current security landscape. "They're a continuation of our efforts in security, but they're also a reflection of a changing threat environment," he acknowledged, noting that attack code now often hits the street just hours after Microsoft discloses and patches bugs.
"Customers are always asking, 'What's the most important thing to get done?' when we release security updates," said Cushman. "The new Exploitability Index helps with that problem. We're going to give predictions on how exploitable each issue is."
The index, which will be added as a new table to the monthly security bulletins beginning with those scheduled for release on Oct. 14, will rate each bug using a three-step system (listed here in descending order of severity):
- Consistent exploit code likely.
- Inconsistent exploit code likely.
- Functioning exploit code unlikely.
"We think simpler is better," said Cushman when asked why Microsoft didn't use the Common Vulnerability Scoring System, a ranking system used by, among other organizations, the United States Computer Emergency Readiness Team (US-CERT).
Users and company IT professionals will be able to combine the new exploitability rankings with those already offered — in which Microsoft rates the vulnerability's impact using "critical," "important," "moderate" and "low" — to decide which bugs should be patched first. Some administrators, Cushman said, may decide that it makes more sense in their environment to patch a "moderate" threat that is likely to be exploited before fixing one tagged "critical" for which Microsoft thinks attack code is far-fetched.
"It's another piece of information, another piece to the puzzle," said Fred Pinkett, vice president of product management at Core Security Technologies, a Boston-based company noted for its Core Impact penetration-testing application. "I think its usefulness will depend on the implementation and how accurate the predictions are, but it should help emphasize the need to look at exploitability as one of the factors in deciding what to patch."
- Top 10 Reasons to Strengthen Information Security with Desktop Virtualization Regain control and reduce risk without sacrificing business productivity and growth
- Preventing Sophisticated Attacks: Anti-Evasion & Advanced Evasion Techniques McAfee Next Generation Firewall applies sophisticated analysis techniques specifically to detect advanced evasion techniques (AET).
- The Security Industry's Dirty Little Secret The debate over advanced evasion techniques (AETs) This report summarizes the findings of a McAfee commissioned research group to determine the level of understanding IT security professionals have about AETs...
- Demand More, Get the Most from the Move to a Next-Generation Firewall Beyond the basics in a next generation firewall, to protect your investment you should demand other valuable features: intrusion prevention, contextual rules, advanced...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!