We just released a new report from the Microsoft Security Response Center (MSRC) called “Building a Safer, More Trusted Internet Through Information Sharing.” This report provides you with an update on the progress of key MSRC initiatives, along with new data on vulnerability counts and the like. Topics covered in the paper include:
- New data from the Microsoft Active Protections Program (MAPP)
- New data on the Microsoft Exploitability Index including guidance for customers on newer platforms
- Also included is information on the relatively new Denial of Service Exploitability Assessment
- New Microsoft Vulnerability Research (MSVR) data
For me, some of the most interesting new data in the report is on the Exploitability Index that gets included with security bulletins from Microsoft. If you use the exploitability index to help manage risk associated with Microsoft security bulletins, it could help you with deployment decisions and potentially reduce the number of reboots you need to perform in your environment. These are two topics that security professionals I talk to are interested in.
Microsoft recommends that customers install all applicable security updates, including bulletins with an exploitability index of 3 or a severity rating of Moderate. Exploitation techniques change over time, and newly developed techniques can make it easier for an attacker to exploit vulnerabilities that had previously been more difficult to successfully exploit. Nevertheless, Microsoft recognizes that prioritization decisions will be made within each organization and that time and resources may often be limited. The Exploitability Index allows customers facing such limitations to better prioritize their update deployments.
For example, a customer that deploys all security bulletins within 30 days would have had to test and deploy a total of 117 bulletins from June 2010 to June 2011. By contrast, a customer that only deploys critical updates with an Exploitability Index rating of 1 and uses the most recent Windows client and server versions exclusively would have deployed just 24 updates, a difference of more than 80 percent.
Figure: Security bulletin deployment events under different scenarios, June 2010–June 2011
In May of 2011, the MSRC started providing information about how exploitability differs between older versions and newer versions of the affected products. Recently released products often include advances and improvements that make it significantly more difficult for an attacker to exploit vulnerabilities. For example, Windows Vista and Windows 7 benefit from Address Space Layout Randomization (ASLR), which significantly reduces the effectiveness of most exploit attempts.
The MSRC performed an internal evaluation of all 256 Exploitability Index ratings published from July 2010 through May 2011 and found that 97 issues (37%) were less serious or nonexistent on the latest version of the affected application than on earlier versions. In contrast, only seven vulnerabilities (3%) affected the most recent version but not older versions.
If you haven’t been taking advantage of the Exploitability Index as part of your security update deployment methodology, the data in this new report will help you get an idea of its potential value to your organization.
Related to the Exploitability Index is a relatively new tool for your security update deployment methodology called the Denial of Service Exploitability Assessment. Microsoft started providing more information about the Denial of Service (DoS) impact for vulnerabilities in Microsoft products. The concept is that even vulnerabilities that are difficult to exploit can still be used to cause a crash in an application or operating system. For each applicable security bulletin, a Denial of Service Exploitability Assessment indicates whether such a crash would be permanent (requiring that the computer be rebooted) or temporary. You can see an example of the Denial of Service Exploitability Assessment in the picture below.
This is another data point you can use to assess and manage risk in your environment. You can download the new report containing all this data from here.
Director, Product Management