Ads by TechWords

See your link here
Receive the latest technology news and information.
Security
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
Cloud Computing
View all newsletters




Privacy Policy
 

Microsoft's exploit predictions are right less than half the time

'We did really well,' company says; others doubt usefulness of rating system

November 12, 2008 12:00 PM ET

Active Comments
Anonymous says: I show that they were correct 68% of the time. 4/9 were correctly called as exploitable and 9/9 were called...
A Non Moose says: The real shame is the relative insecurity that has carried over from their older product lines. If they spent as...


Computerworld - Microsoft Corp. today called its first month of predicting whether hackers will create exploit code for its bugs a success -- even though the company got its forecast right less than half the time.

"I think we did really well," said Mike Reavey, group manager at the Microsoft Security Research Center (MSRC), when asked for a postmortem evaluation of the first cycle of the team's Exploitability Index. "Four of the issues that we said where consistent exploit code was likely did have exploit code appear over the first two weeks. And another key was that in no case did we rate something too low."

The index, launched last month, rates each vulnerability using a three-step system. It predicts, in descending order of severity, the probability that researchers or hackers would come up with a consistently working exploit or develop an exploit that works only some of the time, or whether they would fail to craft attack code at all.

The predictions are valid for the following 30 days, or until the next cycle of patches is released.

Of the nine October vulnerabilities marked "Consistent exploit code likely," four did, in fact, end up with exploit code available, said Reavey, for an accuracy rate of 44%. None of the nine tagged "Inconsistent exploit code likely" had seen actual attack code. But Microsoft correctly called the four bugs last month tagged with "Functioning exploit code unlikely." As Reavey said, exploit code did not appear for any of the four.

All told, Microsoft correctly predicted eight out of October's 20 vulnerabilities' exploitability, an accuracy rate of 40%. (One of the month's 21 bugs did not receive a rating, as Microsoft said public exploit code was already circulating, making a label moot.)

That accuracy rate was down slightly from what Microsoft claimed during a five-month internal run of the index before it announced the program in August at the Black Hat security conference. According to a presentation Reavey gave at the conference, during the five months it assigned ratings, Microsoft correctly predicted the exploit code availability of 17 out of 36 bugs, for an accuracy rate of 47%.

October's showing didn't faze Reavey, who said what is key is that Microsoft nailed the four for which exploit code was unlikely. "It's important that we don't rate something less likely [to have exploit code] than it turns out to be," he said, "because then customers would have inaccurate information for prioritizing patches."

Microsoft has promoted the index as another piece of information that users, particularly enterprises, can use to decide which vulnerabilities should be patched immediately and which ones can wait.



Jump to comments

Microsoft

Additional Resources

EFD vs. HDD - What You Need to Know
WHITE PAPER
Enterprise flash drives provide a new Tier 0 storage layer capable of delivering high I/O performance at a very low latency. Proper use of EFDs in an Oracle environment can deliver increased performance compared to fibre channel drives. Read the recommendations for identification of the best DB components for EFDs.
Gartner Research Report: Magic Quadrant for Application Delivery Controllers, 2009
WHITE PAPER
The market for products to improve the delivery of application software over networks remains dynamic and innovative. Vendors focused on solving enterprises' most-pressing application problems have become the top players.
Eight Criteria for Server Load Balancing
WHITE PAPER
Server load balancers are a simple yet highly effective means to scale an application environment while ensuring its availability. Today's solutions should also address application performance and security. Read about the top eight criteria you should consider when choosing a server load balancer and how Citrix NetScaler meets those requirements.

What People Are Saying

White Papers & Webcasts

Death to PST Files
Download Now  

Web 2.0, Social Media and the Dark Web - A Web Criminals Paradise?
In this discussion, learn about the challenges of protecting your users from the potentially unsafe content hidden in the "Dark Web".

eGuide: Enterprise Security
Smart Security Strategies for 2010. Read now!  

Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...


IT Jobs