Using the MSRC Exploitability Index
Published: August 11, 2010
Author: Ken Malcolmson, Senior Product Manager, Microsoft Trustworthy Computing
One of the IT professional's most important responsibilities is deploying software security updates. Because large-scale software is a complex product produced by human beings, it is impossible to completely prevent vulnerabilities from being introduced during the development process. Software vendors issue security updates for their products to address these vulnerabilities, and deploying these updates can become a significant workload. However, IT professionals can use the Microsoft Security Response Center (MSRC) Exploitability Index to help prioritize Microsoft security update deployments.
In October 2003, Microsoft introduced a predictable security update release cycle through which security bulletins address vulnerabilities in Microsoft software. These security bulletins are typically released on the second Tuesday of each month, although on rare occasions Microsoft releases security updates between the monthly security updates (these are also known as "out-of-band" updates) when the vulnerability is determined to pose an urgent risk to customer systems.
As part of the update release process, Microsoft publishes several pieces of information in each security bulletin; the security bulletin release notice, summary and details as well as security advisories and Knowledge Base articles -- all of which are intended to help IT professionals prioritize the deployment of these updates (Figure 1). A key activity in this prioritization process is calculating the risk to an organization if an update is not deployed; this risk can then be compared to the cost involved in deployment and an informed decision can be made.
Figure 1. Calculating risks associated with security update deployments
In simple terms, calculating risk involves two variables:
Each security bulletin carries a severity rating that indicates the "worst case" scenario of an attack that exploits the vulnerability addressed by the update. In other words, the severity rating assumes that functioning exploit code will be developed that targets the vulnerability. This is the Impact.
This severity rating is a valuable tool in assessing the priority of deploying each security update in an environment; however, it does not tell the whole story. Due to technical differences between vulnerabilities, a specific vulnerability rated as Critical because of its potential "worst-case" exploitation actually may be much less likely to have functioning exploit code developed than a vulnerability rated as Important. In this case, the IT professional may choose to prioritize deployment of the security update addressing the Important vulnerability first.
The Exploitability Index addresses how likely it is that functioning exploit code actually will be developed within the first 30 days after a security update is released. This is the Probability.
It is ideal to build a risk-based priority list for the deployment of security updates by using the Exploitability Index assessments in conjunction with the security bulletin severity ratings.
To illustrate the Exploitability Index in use, let's look at an example taken from the TechNet article entitled " Microsoft Exploitability Index."
Risk Assessment without Exploitability Index
Suppose, for example, that in one month, the MSRC releases five new security bulletins with the following severity ratings:
Based on this information, an IT professional might prioritize these security updates as follows:
This prioritization reflects the severity ratings. All security updates rated as Critical receive top priority, and the non-critical updates receive lower priority.
Exploitability Index Combined with Severity Ratings
Now, taking these same hypothetical security bulletins, we assess them based on the Exploitability Index:
Taking this additional Exploitability Index information into account in the risk assessment, a customer may choose a different prioritization:
What has changed is that where before MS0X-005 was given immediate priority because it was rated as critical, it has now been reprioritized downward. Conversely, while MS0X-003 was given lower priority before, its priority has been increased. In both cases, these changes reflect the additional information provided by the Exploitability Index. Even though MS0X-003 is of lower severity than MS0X-005 (Important versus Critical), the fact that MS0X-003 is rated 1 on the Exploitability Index, it is deemed likely to have consistent exploit code, which increases its overall priority. Conversely, the fact that MS0X-005 with its Exploitability Index rating of 3 is deemed unlikely to have consistent exploit code decreases its overall priority.
Because the Exploitability Index is a prediction of possible future occurrences, it can and will at times be inaccurate. However, it does represent a good-faith estimation based on the latest information and the experience of the MSRC. It can and should be used in conjunction with the severity rating system to help determine the priority of testing and deployment for security updates. Like the severity rating system, it is not meant to obviate or replace IT professionals' assessment and analysis of the security updates based on their own policies and procedures. It is meant to be a recommendation that supplements a customer's own security assessment and remediation processes.
About the Author
Ken Malcolmson is a product manager in the Trustworthy Computing Communications group at Microsoft providing product management services to the Microsoft Security Response Center and the Microsoft Malware Protection Center. Ken has been with Microsoft for more than 12 years, before which he held a variety of IT jobs within the UK Civil Service.