Microsoft exploitability rating

First, over the last few years we have realized that many security researchers analyze the updates associated with Microsoft's security updates the day they are released to create and evaluate protections. In doing so, many of these researchers also create exploit code to test them. The methodology used to develop this exploit code is like the one Microsoft uses to determine the likelihood of exploit code release.

Microsoft analyzes the updates themselves, the nature of the vulnerability, and the conditions that must be met for an exploit to execute successfully. Second, not all vulnerabilities resolved by our security updates are exploited. A vulnerability may well be technically exploitable with a high degree of reliability, but it may never be exploited.

We continuously monitor and track exploitation activity to keep up to date with current trends. This in turn informs our opinion of what constitutes a more attractive vulnerability over similar vulnerabilities, and enables us to more accurately communicate an actual risk, rather than a potential one from the vulnerabilities we patch.

Finally, we are also partnering with protection providers through the Microsoft Active Protections Program MAPP , working with them to help validate our predictions each month — thereby using a community approach to ensure better accuracy through information sharing.

For some vulnerabilities where exploitability is high, this assumption is very likely to be true for a broad set of attackers.

For other vulnerabilities where exploitability is low, this assumption may only be true when a dedicated attacker puts a lot of resources into ensuring their attack is successful. Regardless of the Severity or Exploitability Index rating, Microsoft always recommends that customers deploy all applicable and available updates; however, this rating information can assist sophisticated customers in prioritizing their approach to each month's release.

The Exploitability Index does not differentiate between vulnerability types. It focuses on the likelihood of exploitation of each vulnerability within the range of their full impact potential. Thus, any vulnerability, whether it is Remote Code Execution, Tampering or other, could be rated any of the Exploitability Index ratings. The ability to rate the possible exploitation of vulnerabilities is an evolving science, and new techniques for exploitation in general, or unique techniques specific to a vulnerability, or new trends in detected exploits of particular products may be discovered that could change the Exploitability Index rating.

However, the goal of the Exploitability Index is to help customers prioritize those updates for the most current monthly release. Therefore, if there is information that would change an assessment released in the first month of a security release, Microsoft will update the Exploitability Index.

If information becomes available in subsequent months, after most customers have made their prioritization decisions, the Exploitability Index will not be updated as it is no longer useful to the customer. When an Exploitability Index rating is corrected in a way that reflects increased risk to customers, the security update revision is incremented at a major version number for instance, from 1.

Today, Microsoft Security Response Center announced changes in the Exploitability Index rating system which will be in place for the next set of Windows patches. Starting May 10, , Microsoft intends to "split out the Exploitability Index into a rating for the most recent version of the software, and an aggregate rating for all older versions.

Microsoft gives this example , "Windows 7 hosts Address Space Layout Randomization ASLR , a mitigation technique which repositions code fragments in memory, and makes it much harder for an attacker to write a reliable exploit.

This functionality is not available by default on older operating systems such as Windows XP. This more accurately reflects risk to customers that keep their environment updated with the latest product releases.

In addition to the Exploitability Index, Microsoft will includes an assessment of the Denial of Service risk that the vulnerability poses - somewhat like the chances of the dreaded BSOD blue screen of death vs. Some remote code execution vulnerabilities might be difficult to exploit, yet an attacker could still crash a computer.

Other times, an attacker will not be able to crash the system, but could make the computer become temporarily unresponsive. To better help prepare customers for the changes, Microsoft provided the example below of the new Exploitability Index Rating System as applied to the CVEs released in the April Bulletin.

This is how Microsoft explains deciphering the new Exploitability Rating: "for CVE, the table indicates that an attacker who attempts to exploit the service, even when failed, may render the system entirely unavailable. This could mean browsing to a web page or opening email.

A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources. These scenarios include common use scenarios where client is compromised with warnings or prompts regardless of the prompt's provenance, quality, or usability. Sequences of user actions that do not generate prompts or warnings are also covered.

Impact of the vulnerability is mitigated to a significant degree by factors such as authentication requirements or applicability only to non-default configurations. Impact of the vulnerability is comprehensively mitigated by the characteristics of the affected component. Microsoft recommends that customers evaluate whether to apply the security update to the affected systems. To assess that likelihood, the Microsoft Exploitability Index provides additional information to help customers better prioritize the deployment of Microsoft security updates.