Exploitability Index Improvements Now Offer Additional Guidance
In October of 2008, Microsoft published its first Exploitability Index: a rating system that helps customers identify the likelihood that a specific vulnerability would be exploited within the first 30 days after bulletin release.
As of this month, we are making some changes to the rating system to make vulnerability assessment more clear and digestible for customers. Specifically, we will be publishing two Exploitability Index ratings per vulnerability- one for the most recent platform, the other as an aggregate rating for all older versions of the software. This change makes it easier for customers on recent platforms to determine their risk given the extra security mitigations and features built in to Microsoft’s newest products; under the previous system, vulnerabilities were given an aggregate rating across all product versions.
How do we build an Exploitability Index?
Each vulnerability rating is based on a thorough review by the MSRC Engineering team, as well as close cooperation with a number of key partners. The ratings are qualitative: our team does an in-depth technical analysis of the vulnerability in question, and identifies the likelihood that an experienced exploit developer would be able to exploit the vulnerability. Some great examples of these types of reviews can be found on the SRD blog here and here.
We have received feedback in the past that the Exploitability Index did not take into account more recent mitigations implemented in our operating systems. For instance, Windows 7 hosts Address Space Layout Randomization (ASLR), a mitigation technique which repositions code fragments in memory, and makes it much harder for an attacker to write a reliable exploit. This functionality is not available by default on older operating systems such as Windows XP.
If consistent exploit code was considered likely for any supported version, despite being made significantly more difficult with ASLR, the Exploitability Index rating of that vulnerability would receive Microsoft’s highest rating of “1,” indicating that a reliable exploit within 30 days is likely. While this is accurate for the older version, it does not correctly reflect risk for users with Windows 7.
Rating the Latest Platform Separately from Older Platforms
As of this month, we will split out the Exploitability Index into a rating for the most recent version of the software, and an aggregate rating for all older versions. In the scenario above, the rating for Windows 7 could be “2" whereas the rating for all other platforms would be “1”. This more accurately reflects risk to customers that keep their environment updated with the latest product releases.
Assessing Denial of Service Risk
An additional item we are now providing with the Exploitability Index, is an assessment of the Denial of Service risk a vulnerability poses. In the case of remote code execution vulnerabilities, an issue that is difficult to exploit may still be used to crash a computer. Even when an attacker cannot control memory addresses sufficiently to execute code, he may still be able to corrupt memory sufficiently to stop the computer from responding.
For IT administrators, it is important to understand whether the denial of service will be “permanent,” in which case the program or operating system exits unexpectedly, such that the system will need to be restarted; or “temporary,” in which case the program or operating merely becomes unresponsive during the attack, but eventually recovers. In the example table below, for CVE-2011-0673, the table indicates that an attacker who attempts to exploit the service, even when failed, may render the system entirely unavailable. For administrators of internet-facing services, this can often be the difference between a highly important, and insignificant vulnerability.
An Example of Our New Exploitability Index Rating System
To help you prepare for these changes in the May release, we are providing an example of these changes applied to three different CVEs from the April Bulletin Release:
Bulletin | CVE | CVE Title | Code Execution Exploitability Assessment for Latest Software Release1 | **Code Execution Exploitability Assessment for Older Software Release2 | DOS Exploitability Assessment3 | Key Notes |
---|---|---|---|---|---|---|
MS11-021 | CVE-2011-0097 | Excel Integer Overrun Vulnerability | 2 – Inconsistent exploit code likely | 1 – Consistent exploit code likely | Temporary | (None) |
MS11-029 | CVE-2011-0041 | GDI+ Integer Overflow Vulnerability | Not affected | 1 - Consistent exploit code likely | Temporary | (None) |
MS11-034 | CVE-2011-0673 | Win32k Null Pointer De-reference vulnerability | Not affected | 1 – Consistent exploit code likely | Permanent | (None) |
1 The Latest Software Release refers to the latest supported release of the software as listed in both the “Affected Software” and “Non-Affected Software” tables in the bulletin
2 The Older Software Release refers to any other version of the software as listed in both the “Affected Software” and “Non-Affected Software” tables in the bulletin
In the case of CVE-2011-0097, the most recent version of Microsoft Office, additional mitigations are in place that would make exploitation less reliable. For CVE-2011-0041, the latest version of the product, Windows 7, was not affected at all.
CVE-2011-0673 is a local elevation of privilege vulnerability which could lead to a permanent Denial of Service, and may require the machine to be restarted in order to restore functionality. Again, the latest version of the product was not affected by this issue.
In the table, the “Latest Software Release” is always the very latest version listed across both the “Affected Software” and “Non-Affected Software” tables in the security bulletin. The Exploitability Index Assessment for the “Older Software Release” is always the highest rating across any other platform listed in either of these tables. In the case of a complex security bulletin, where for instance both Microsoft Office and Microsoft Windows are affected, the Exploitability Index Assessment for the “Latest Software Release” will be the highest across both software products.
For instance, if the exploitability index assessment for Windows 7 Service Pack 1 is “1,” and for Office 2010 is “2,” the rating in the “Latest Software Release” column will be “1”.
A historical perspective
At Microsoft, we have been collecting ratings internally in this way for the last eight months. Out of a total of 256 ratings, we found that 97 issues were less serious, or not applicable on the latest version of the product. In contrast, only seven cases affected the most recent product version and not the older platforms.
Some changes, but the same goal
Our goal in publishing Exploitability Index ratings is to make it easier for enterprises to prioritize which updates to install first. We understand that some customers may not be able to install all updates at the same time. By giving an assessment of the exploitability and impact, of an issue, we hope to support IT administrators in making rational decisions on which security updates to install first. We hope these changes prove useful in your monthly assessment of our security updates!
Maarten Van Horenbeeck
Senior Security Program Manager
EcoStrat