Microsoft Exploitability Index

The Microsoft Exploitability Index is designed to provide additional information to help customers better prioritize the deployment of Microsoft security updates. This index provides customers with guidance on the likelihood of functioning exploit code being developed for vulnerabilities addressed by Microsoft security updates within the first thirty days of that update's release.

Why Microsoft Developed the Exploitability Index

Through Microsoft security bulletins and during our monthly security bulletin webcast, customers are provided with information about proof-of-concept code, exploit code, or active attacks relating to our security updates at the time of release.

Microsoft developed the Exploitability Index in response to customer requests for additional information to further evaluate risk. The index helps customers prioritize the deployment of Microsoft security updates by offering details about the likelihood that functioning exploit code would be released after a security update is released.

How the Exploitability Index Works

Microsoft evaluates the potential exploitability of vulnerabilities associated with a Microsoft security update and then publishes the exploitability information as part of the monthly Microsoft security bulletin summary. If it is determined within the first thirty days that the Exploitability Index Assessment warrants a change, Microsoft will change the assessment in the bulletin summary and notify customers through technical security notifications. The assessment in the bulletin summary will not be updated when exploit code is posted that matches the existing exploitability information.

This exploitability information includes the bulletin ID, the bulletin title for that bulletin, the CVE ID associated with the specific vulnerability, the Exploitability Index Assessment, and key notes.

For example, the exploitability information table for a bulletin from the April 2008 security bulletin security update release is as follows:

The Exploitability Index uses one of three values to communicate to customers the likelihood of functioning exploit code, based on vulnerabilities addressed by Microsoft security bulletins:

1 – Consistent Exploit Code Likely

This rating means that our analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit that vulnerability.  For example, an exploit would be able to cause remote code execution of that attacker's code repeatedly, and in a way that an attacker could consistently expect the same results. This would make it an attractive target for attackers, and therefore more likely that exploit code would be created.  As such, customers who have reviewed the security bulletin and determined its applicability within their environment could treat this with a higher priority.

2 – Inconsistent Exploit Code Likely

This rating means that our analysis has shown that exploit code could be created, but an attacker would likely experience inconsistent results, even when targeting the affected product.  For example, an exploit would be able to cause remote code execution, but may only work 1 out of 10 times, or 1 out of 100 times, depending on the state of the system being targeted and the quality of the exploit code. While an attacker may be able to increase the consistency of their results by having better understanding and control of the target environment, the unreliable nature of this attack makes it a less attractive target for attackers.  Therefore, it is likely that exploit code will be created, but it is unlikely that attacks will be as effective as other, more consistently exploitable, vulnerabilities. As such, customers who have reviewed the security bulletin and determined its applicability within their environment should treat this as a material update, but if prioritizing against other highly exploitable vulnerabilities, could rank this lower in their deployment priority.

3 – Functioning Exploit Code Unlikely

This rating means that our analysis has shown that exploit code that functions successfully is unlikely to be released. This means that it might be possible for exploit code to be released that could trigger the vulnerability and cause abnormal behavior, but it is unlikely that an attacker would be able to create an exploit that could successfully exercise the full impact of the vulnerability. Given that vulnerabilities of this type would require significant investment by attackers to be useful, the risk of exploit code being creating and used is much lower. Therefore, customers who have reviewed the security bulletin to determine its applicability within their environment could prioritize this update below other vulnerabilities within a release.

Key Notes Section

The Key Notes provided in the table contains additional information on whether there is a significant change in the exploitability prediction for a particular product or operating system, as well as other important information relating to the ability to exploit that specific vulnerability. In the example above, Windows 2000 is at more risk than other operating systems, so customers should take this into account if prioritizing their release by operating system or product version.

Important Terms and Definitions

Exploit Code – A software program or sample code, that when executed against a vulnerable system, uses the vulnerability to spoof attacker identity, tamper with user or system information, repudiate attacker action, disclose user or system information, deny service to valid users, or elevate privileges for the attacker.

Functioning Exploit Code – Exploit code that is able to produce the maximum security impact of a vulnerability to occur.  For example, if a vulnerability had a security impact of remote code execution, Functioning Exploit Code would be able to cause remote code execution to occur when run against a target system.

Consistently Exploitable – The level of exploitability of a vulnerability such that exploit code that targets the vulnerable system performs reliably.

Inconsistently Exploitable – The level of exploitability of a vulnerability such that exploit code that targets the vulnerable system works only under certain specific conditions, requires expertise and sophisticated timing, or has varied results.

Trigger a Vulnerability – Being able to reach the vulnerable code, but not always being able to achieve the maximum impact.  For example, it may be easy to trigger a remote code execution vulnerability, but the resulting effect may only be a denial-of-service.

Frequently Asked Questions (FAQ) Related to the Exploitability Index

Q: What is the Microsoft Exploitability Index?

A: The Microsoft Exploitability Index is an index that provides additional information to help customers prioritize their deployment of the monthly security updates.  This index is designed to provide customers guidance concerning the likelihood of functioning exploit, based on each vulnerability addressed by Microsoft security bulletins.

Q: Why did Microsoft create the Exploitability Index?

A: Customers asked for more information to help them prioritize their deployment of Microsoft security updates each month, specifically requesting details about the likelihood of exploit code for the vulnerabilities addressed in security bulletins. Through webcasts and customer calls, Microsoft has always answered this request with a description of known exploit code or attacks at the time of release.  The Exploitability Index goes beyond this by providing details about how exploitable a vulnerability may be, and the likelihood of exploit code being published in the month following a security bulletin's release.

Q: Is this a truly reliable rating system?

A: While predicting activity within the security ecosystem is always difficult, there are three reasons why this system should be reliable.

First, over the last few years we've realized that many security researchers analyze the updates associated with Microsoft's security bulletins the day they are released in order to create and evaluate protections. In doing so, many of these researchers also create exploit code to test these protections. The methodology used to develop this exploit code is similar to the one Microsoft uses to determine the likelihood of exploit code release.  Microsoft analyzes the updates themselves, the nature of the vulnerability, and the conditions that must be met in order for an exploit to execute successfully.

Second, not all vulnerabilities resolved by our security updates result in released exploit code.  In fact, only 30 percent of vulnerabilities resolved in Microsoft security bulletins in 2006 and 2007 had functioning exploit code released. While there are many social factors that can determine the release of exploit code, the technical differences in some vulnerabilities make exploitation even more challenging.  For example, the combination of address space layout randomization (ASLR) and data execution prevention (DEP) on Windows Vista makes some vulnerabilities more difficult to exploit.  Some vulnerabilities also require systems to have memory in a predictable state in order for exploit code to function successfully. Therefore, careful analysis of each vulnerability, using the methodology mentioned above, can provide reliable insight into the difficulty of creating exploit code that could work consistently.

Finally, we're also partnering with protection providers through the Microsoft Active Protections Program, working with them to help validate our predictions each month – thereby using a community approach as a way to ensure better accuracy through information sharing.

Q: How is it different from the MSRC Bulletin Severity Rating system?

A: The MSRC Bulletin Severity Rating system assumes that exploitation will be successful. For some vulnerabilities, where exploitability is high, this assumption is very likely to be true for a broad set of attackers. For other vulnerabilities, where exploitability is low, this assumption may only be true when a dedicated attacker puts a lot of resources into ensuring their attack is successful. Regardless of the Bulletin Severity or Exploitability Index rating, Microsoft always recommends that customers deploy all applicable and available updates; however, this rating information can assist sophisticated customers in prioritizing their approach to each month's release.

Q: What happens if an Exploitability Index rating is incorrect?

A: The ability to rate the possible exploitation of vulnerabilities is an evolving science, and new techniques for exploitation in general, or unique techniques specific to a vulnerability, may be discovered that could change the Exploitability Index rating. However, the goal of the Exploitability Index is to help customers prioritize those updates for the most current monthly release. Therefore, if there is information that would change an assessment released in the first month of a security release, the MSRC will update the Exploitability Index. If information becomes available in subsequent months, after most customers have made their prioritization decisions, the Exploitability Index would not be updated as it is no longer useful to the customer.

Q: How does the Exploitability Index relate to CVSS and other rating systems?

A: The Exploitability Index is separate and not related to other rating systems.  However, the MSRC is a contributing member to the Common Vulnerability Scoring System (CVSS), and Microsoft shares its experience and customer feedback in building and releasing the Exploitability Index with the working group in order to help ensure CVSS is effective and actionable.

Q. Does this warn against targeted attacks?

A: While the Exploitability Index itself does not warn against how an attacker may target an attack, it can be helpful in providing customers a view into which vulnerabilities could be used more prominently in targeted attacks. For example, in limited targeted attacks, an attacker will most likely choose vulnerabilities with high exploitability in order to reduce the discoverability of the attack. Therefore, customers concerned with targeted attacks may use the Exploitability Index to prioritize those updates and protections for those vulnerabilities in their monthly risk assessments.