Microsoft to predict exploitability of its own bugs

Will rate likelihood of attacks on flaws it fixes, improve vendor communication

Microsoft Corp. will soon edge into the crystal-ball business, predicting each month whether newly found bugs in its software will be exploited, the company said Monday. It also spelled out changes to how much information it gives customers and rival security companies about vulnerabilities, and when.

Starting in October, Microsoft will add an "Exploitability Index" to the security bulletins it issues when it releases patches for Windows and its other software. Also in October, said Andrew Cushman, Microsoft's director of security response and outreach, the company will begin providing select third-party security vendors with technical information about each month's vulnerabilities before patches are posted, in order to give those companies a head start in crafting exploit-detection signatures.

Both moves, said Cushman, are in response to the current security landscape. "They're a continuation of our efforts in security, but they're also a reflection of a changing threat environment," he acknowledged, noting that attack code now often hits the street just hours after Microsoft discloses and patches bugs.

"Customers are always asking, 'What's the most important thing to get done?' when we release security updates," said Cushman. "The new Exploitability Index helps with that problem. We're going to give predictions on how exploitable each issue is."

The index, which will be added as a new table to the monthly security bulletins beginning with those scheduled for release on Oct. 14, will rate each bug using a three-step system (listed here in descending order of severity):

  • Consistent exploit code likely.
  • Inconsistent exploit code likely.
  • Functioning exploit code unlikely.

"We think simpler is better," said Cushman when asked why Microsoft didn't use the Common Vulnerability Scoring System, a ranking system used by, among other organizations, the United States Computer Emergency Readiness Team (US-CERT).

Users and company IT professionals will be able to combine the new exploitability rankings with those already offered — in which Microsoft rates the vulnerability's impact using "critical," "important," "moderate" and "low" — to decide which bugs should be patched first. Some administrators, Cushman said, may decide that it makes more sense in their environment to patch a "moderate" threat that is likely to be exploited before fixing one tagged "critical" for which Microsoft thinks attack code is far-fetched.

"It's another piece of information, another piece to the puzzle," said Fred Pinkett, vice president of product management at Core Security Technologies, a Boston-based company noted for its Core Impact penetration-testing application. "I think its usefulness will depend on the implementation and how accurate the predictions are, but it should help emphasize the need to look at exploitability as one of the factors in deciding what to patch."

Cushman also announced an information-sharing initiative, dubbed the Microsoft Active Protection Program, which will debut in October as well. Using MAPP, Microsoft will provide technical information about the vulnerabilities it plans to patch to some security software developers prior to the release of those updates.

Currently, security vendors must wait until Microsoft issues its patches before they can begin examining the bugs and start developing signatures for possible exploits.

"As soon as we patch, that starts a race," between hackers on the one hand, creating attack code, and customers on the other, who are trying to test Microsoft's patches and deploy them as quickly as possible, said Cushman. "[MAPP] will give the protection providers a head start and should shorten the time between [our] updates and [their] protection. We recognize that it's a race."

Cushman, however, declined to get specific about some aspects of MAPP, refusing, for instance, to say how many days in advance security vendors would receive vulnerability information from Microsoft. Core Security's Pinkett, however, said he understood that the advance would be only a few days, perhaps as few as one or two.

Security companies must apply to the program, which Cushman said Microsoft would limit to "commercial software vendors who deliver protection products." The number admitted to MAPP has not been decided, but Cushman said that the more allowed in, the greater the risk of the information leaking out early. Microsoft will not charge for the information or levy fees for membership in the program.

"I don't have to tell you that this takes some people at Microsoft outside their comfort level," Cushman said, commenting on the departure from past practice, "but the problems in security today are so large that no one vendor can deliver a solution by themselves. We're pushing the envelope here."

Microsoft will, Cushman added, provide the MAPP companies with detailed information about how the vulnerability can be exploited, but he stopped short of promising proof-of-concept attack code. "We are going to do the heavy lifting," he said. "We'll do the reverse engineering in many cases that will ID where the vulnerability is."

Overall, Pinkett was impressed. "You have to give them credit that they're putting effort into the security process," he said. "It's not a silver bullet to the problem, but more information is always better. Both of these are kind of interesting and show that Microsoft is being more proactive in the security space."

Microsoft will provide more information about the new index and MAPP at the Black Hat security conference on Thursday.

IT buyer’s guide to business laptops
Shop Tech Products at Amazon