Skip to main content

Using the MSRC Exploitability Index

Published: August 11, 2010

Author: Ken Malcolmson, Senior Product Manager, Microsoft Trustworthy Computing

Background

One of the IT professional's most important responsibilities is deploying software security updates. Because large-scale software is a complex product produced by human beings, it is impossible to completely prevent vulnerabilities from being introduced during the development process. Software vendors issue security updates for their products to address these vulnerabilities, and deploying these updates can become a significant workload. However, IT professionals can use the Microsoft Security Response Center (MSRC) Exploitability Index to help prioritize Microsoft security update deployments.

Security Updates

In October 2003, Microsoft introduced a predictable security update release cycle through which security bulletins address vulnerabilities in Microsoft software. These security bulletins are typically released on the second Tuesday of each month, although on rare occasions Microsoft releases security updates between the monthly security updates (these are also known as "out-of-band" updates) when the vulnerability is determined to pose an urgent risk to customer systems.

As part of the update release process, Microsoft publishes several pieces of information in each security bulletin; the security bulletin release notice, summary and details as well as security advisories and Knowledge Base articles -- all of which are intended to help IT professionals prioritize the deployment of these updates (Figure 1). A key activity in this prioritization process is calculating the risk to an organization if an update is not deployed; this risk can then be compared to the cost involved in deployment and an informed decision can be made.

Figure 1. Calculating risks associated with security update deployments

Figure 1. Calculating risks associated with security update deployments

In simple terms, calculating risk involves two variables:

  • Impact - The potential effect of a vulnerability being exploited
  • Probability - The likelihood of that exploitation taking place

Each security bulletin carries a severity rating that indicates the "worst case" scenario of an attack that exploits the vulnerability addressed by the update. In other words, the severity rating assumes that functioning exploit code will be developed that targets the vulnerability. This is the Impact.

Severity ratings and definitions

This severity rating is a valuable tool in assessing the priority of deploying each security update in an environment; however, it does not tell the whole story. Due to technical differences between vulnerabilities, a specific vulnerability rated as Critical because of its potential "worst-case" exploitation actually may be much less likely to have functioning exploit code developed than a vulnerability rated as Important. In this case, the IT professional may choose to prioritize deployment of the security update addressing the Important vulnerability first.

Exploitability Index

The Exploitability Index addresses how likely it is that functioning exploit code actually will be developed within the first 30 days after a security update is released. This is the Probability.

Exploitability Index Assessment definitions

It is ideal to build a risk-based priority list for the deployment of security updates by using the Exploitability Index assessments in conjunction with the security bulletin severity ratings.

To illustrate the Exploitability Index in use, let's look at an example taken from the TechNet article entitled " Microsoft Exploitability Index."

Example

Risk Assessment without Exploitability Index

Suppose, for example, that in one month, the MSRC releases five new security bulletins with the following severity ratings:

Traditional risk assessment example

Based on this information, an IT professional might prioritize these security updates as follows:

  • Immediate testing and deployment:
    • MS0X-001
    • MS0X-002
    • MS0X-005
  • Testing and deployment within one week:
    • MS0X-003
  • Testing and deployment within one month:
    • MS0X-004

This prioritization reflects the severity ratings. All security updates rated as Critical receive top priority, and the non-critical updates receive lower priority.

Exploitability Index Combined with Severity Ratings

Now, taking these same hypothetical security bulletins, we assess them based on the Exploitability Index:

Risk assessment with the Exploitability Index

Taking this additional Exploitability Index information into account in the risk assessment, a customer may choose a different prioritization:

  • Immediate testing and deployment:
    • MS0X-001
    • MS0X-002
    • MS0X-003
  • Testing and deployment within a longer time frame:
    • MS0X-004
    • MS0X-005

What has changed is that where before MS0X-005 was given immediate priority because it was rated as critical, it has now been reprioritized downward. Conversely, while MS0X-003 was given lower priority before, its priority has been increased. In both cases, these changes reflect the additional information provided by the Exploitability Index. Even though MS0X-003 is of lower severity than MS0X-005 (Important versus Critical), the fact that MS0X-003 is rated 1 on the Exploitability Index, it is deemed likely to have consistent exploit code, which increases its overall priority. Conversely, the fact that MS0X-005 with its Exploitability Index rating of 3 is deemed unlikely to have consistent exploit code decreases its overall priority.

Summary

Because the Exploitability Index is a prediction of possible future occurrences, it can and will at times be inaccurate. However, it does represent a good-faith estimation based on the latest information and the experience of the MSRC. It can and should be used in conjunction with the severity rating system to help determine the priority of testing and deployment for security updates. Like the severity rating system, it is not meant to obviate or replace IT professionals' assessment and analysis of the security updates based on their own policies and procedures. It is meant to be a recommendation that supplements a customer's own security assessment and remediation processes.

Additional Resources

About the Author

Ken Malcolmson is a product manager in the Trustworthy Computing Communications group at Microsoft providing product management services to the Microsoft Security Response Center and the Microsoft Malware Protection Center. Ken has been with Microsoft for more than 12 years, before which he held a variety of IT jobs within the UK Civil Service.

Microsoft Security Newsletter

Sign up for a free monthly roundup of security news, bulletins, and guidance for IT pros and developers.