Using Vulnerability Data to Optimize Security Update Deployments

Recently the Microsoft Security Response Center (MSRC) released their annual “MSRC Progress Report.”  The report provides insights into key security bulletin and Common Vulnerabilities and Exposures (CVE) statistics and how several MSRC programs performed during the one year period between July 2012 and June 2013.

For example, during the 12 months ending June 2013, Microsoft released a total of 92 security bulletins to address 246 individual vulnerabilities. Of the security bulletins released during this period there were two out-of-band updates, both affecting versions of Internet Explorer: MS12-063, released on September 21, 2012 and MS13-008, released on January 14, 2013. 

In Figure 1, notice the ratio between the number of bulletins released and the number of CVEs addressed in each six month period.  Figure 2 illustrates this ratio between the first half of 2007 (1H07) and the first half of 2013 (1H13).  The MSRC recognizes that restarting systems can disrupt businesses and that uptime is critical. Restarting systems after installing Microsoft security updates is only required when absolutely necessary. Whenever possible, the MSRC consolidates multiple vulnerabilities that affect a single binary or component and addresses them with a single security bulletin, to maximize the effectiveness of each update and minimize the potential disruption that customers face from testing and deploying individual security updates into their computing environments. When vulnerabilities affect different unrelated components and must be addressed by separate updates, consolidation is not always feasible. The lowest ratio achieved was in the second half of 2007 with an average of 1.5 CVEs addressed in each bulletin.  The ratio of CVEs to security bulletins in the first half of 2013 is a historic high at 3.16.  High ratios save organizations time and money spent on security update testing and deployment.

Figure 1: Bulletins issued and CVEs addressed between the first half of 2007 (1H07) and the first half of 2013 (1H13)

Figure 2: Average number of CVEs addressed per security bulletin from the first half of 2007 (1H07) to the first half of 2013 (1H13)

Another data set in the MSRC Progress Report that customers tell me they find interesting and useful is the Microsoft Exploitability Index (XI) data.  One of the questions that’s always top of mind for customers on the second Tuesday of each month when Microsoft releases security updates, is how likely is it that attackers will be able to successfully exploit the vulnerabilities that the new security updates address?  Each month, Microsoft provides XI ratings for each of the vulnerabilities addressed by that month’s Microsoft Security Bulletins. The XI rating system is intended to help customers prioritize security bulletin deployment by providing information on the likelihood that a given vulnerability will be exploited within the first 30 days of the update’s release.  You can get all the details on XI in the report, but to quickly summarize the ratings:

The Exploitability Index uses three levels to communicate to customers the likelihood of functioning exploit code being developed. Microsoft continuously evaluates the level descriptions, and modifies them when appropriate to simplify and clarify the assessments. Currently, the levels are defined as follows:

  1. Exploit code likely. This rating means that MSRC analysis shows that exploit code could be created, allowing an attacker to consistently exploit the vulnerability.
  2. Exploit code would be difficult to build. This rating means that MSRC analysis shows that exploit code could be created, but that an attacker would likely have difficulty creating the code.
  3. Exploit code unlikely. This rating means that MSRC analysis shows that successfully functioning exploit code is unlikely to be released.

The 92 security bulletins published from July 2012 to June 2013 resulted in 266 Exploitability Index ratings as seen in Figure 3.

Figure 3: Microsoft Exploitability Index ratings, July 2012 –June 2013

This data can be used to help customers make optimized deployment decisions, as Figure 4 suggests.  While Microsoft recommends deploying all security bulletins in a timely fashion, Figure 4 illustrates how XI ratings can help customers save time and money by prioritizing deployments. During the twelve-month period ending June 2013, a customer that prioritized deploying critical updates with an XI rating of 1, and used the most recent Windows client and server versions exclusively, could have deployed just 21 updates at the highest priority level, and used a less expensive non-urgent deployment process for the remaining 71 updates.

Figure 4: Security bulletin deployment events under different scenarios, July 2012 –June 2013

There is plenty of other new data in the report.  You can download the MSRC Progress Report 2013 from here.

Tim Rains
Trustworthy Computing







About the Author
Tim Rains

Director, Security

Tim Rains is Director, Security at Microsoft where he helps manage marketing communications for Microsoft Cloud & Enterprise security, identity, and enterprise mobility products and services. Formerly, Tim was Chief Security Advisor of Microsoft’s Enterprise Cybersecurity Group where he helped Read more »