Skip to main content

Prioritizing Microsoft Security Update Deployment Using Severity Ratings and the Updated Exploitability Index

Published: June 22, 2011

Author: Ken Malcolmson, Product Marketing Manager, Microsoft Corporation

Software vulnerabilities are an industry-wide problem. Software vulnerabilities are weaknesses in software that may enable an attacker to compromise the integrity, availability, or confidentiality of that software. Although the overall number of software vulnerabilities disclosed each year has been in decline since 2006 (see Microsoft Security Intelligence Report), there are still thousands of new vulnerabilities disclosed across the software industry each year, and there will continue to be vulnerabilities as long as human beings are creating complex software products.

Software providers address vulnerabilities in different ways, from regularly scheduled update releases to ad-hoc releases for specific problems. IT professionals need to be aware of any security updates that are available for software (from any software manufacturer) that is deployed in their environment. For Microsoft products, IT professionals can subscribe to free, comprehensive security alertsthrough the Microsoft Technical Security Notifications on TechNet.

After determining which updates apply in a specific environment, the IT professional then needs to understand how to prioritize those updates for deployment.

Microsoft has established a predictable process for releasing security updates on the second Tuesday of each month. Each security update carries two pieces of information that help with the prioritization process: the severity rating and the Exploitability Index.

  • The severity rating indicates the maximum potential impact of a successful attack against a specific vulnerability. Ratings are Low, Moderate, Important, or Critical.
  • The Exploitability Index indicates the likelihood of reliable exploit code being developed within the first 30 days after a security update is released for the latest software release of the affected product, and for older software releases. The Exploitability Index ratings are 3 (Functioning exploit code unlikely), 2 (Inconsistent exploit code likely) or 1 (Consistent exploit code likely).

Each of these pieces of information taken separately gives an indication of the risk of a vulnerability being exploited, but both pieces taken together can add a new dimension of information that can help with prioritization decisions. Let’s examine these two items in more detail, and walk through an example.


Severity Rating

Microsoft severity ratings translate to the maximum potential impact of the attack. Microsoft evaluates each issue and quantifies an issue’s impact objectively on a technical level for default configurations. Based on this analysis and the maximum security impact, Microsoft supplies a rating in the security bulletin.

Microsoft severity rating system

Microsoft severity rating system screenshot


Exploitability Index (updated May 2011)

The Exploitability Index is designed to provide additional information to help customers better prioritize the deployment of Microsoft security updates. This index provides customers with guidance on the likelihood of functioning exploit code being developed for vulnerabilities addressed by Microsoft security updates, within the first 30 days of that update's release. Additionally, the Exploitability Index indicates the potential likelihood that an exploit could cause a denial of service (Dos) on an affected system. The Exploitability Index has three ratings.

Microsoft Exploitability Index system

Microsoft Exploitability Index screenshot

In May 2011, the Exploitability Index was updated to provide separate ratings for the latest software release of the affected product (the most recent version of the application or platform listed in the "Affected Software" and "Non-Affected Software" tables in the security bulletin), and for older software releases (all other supported releases, as listed in the "Affected Software" tables in the security bulletin). For example, an Exploitability Index assessment of a vulnerability previously addressed in a security bulletin would be as follows:

Sample Exploitability Index Assessment

In the case above, older software releases were likely to see consistent exploit code within 30 days, whereas the latest software releases were only likely to see inconsistent exploit code. An IT professional managing an environment consisting solely of the latest software releases may assign a lower priority to deploying this update.

For scenarios in which multiple product series are affected—for instance, a vulnerability that affects both Windows and Office—the "latest software release" rating reflects the highest risk level across both products. In this case, if the Exploitability Assessment of the latest version of Office is "1," and of the latest version of Windows is "2," the rating will reflect "1."

The DoS Exploitability Assessment may reflect one of the following:

DoS Exploitability Assessment

If a vulnerability could allow a permanent denial of service, it requires an administrator to start, restart, or reinstall all or parts of the system. It should be noted that any vulnerability that automatically restarts the system is also considered a permanent DoS. Also, client applications that are typically intended for interactive use, such as Microsoft Office releases, would not get a DoS Exploitability Assessment.


What does this all mean?

Let’s use a simple example of fictitious security update MS11-0XX:

Security Update Example

Based on the information above an IT professional may assume that all Windows clients would require updating as soon as possible due to the potential impact of exploitation of the vulnerability (remote code execution). However, let’s add Exploitability Index ratings:

Security Update Example with Ratings

Now we can see that the risk for the latest software releases (say, for this example, Windows 7) is lower than for older software releases (Windows Vista and older). This information enables the IT professional to make a different priority decision for clients running the latest software release (perhaps marking the update to be deployed during a standard client management event) than for clients running older software versions (perhaps an emergency patching event). Combined, the severity rating and the Exploitability Index information can help minimize disruption to IT professionals and the businesses they support.

About the Author

Ken Malcomson photoKen Malcomson is a product marketing manager at Microsoft, working with the Microsoft Security Response Center and the Microsoft Malware Protection Center. Ken has more than 25 years experience in the IT industry, with a particular focus on security.

Related Resources

  • MSRC Security Bulletin Severity Rating System

    Information to help customers decide which patches they should apply to avoid impact under their particular circumstances, and how rapidly they need to take action.

  • Microsoft Exploitability Index

    Information designed to help customers prioritize the deployment of Microsoft security updates by offering details about the likelihood that functioning exploit code would be released after a security update is released.

  • Microsoft Security Update Guide

    Download tools that can help you protect your IT infrastructure and better understand Microsoft security update release information, processes, communications, and tools.

  • MSRC Blog

    Subscribe to updates from Microsoft's official security response blog.

  • MSRC on Twitter

    Follow Microsoft security response news on Twitter.

Microsoft Security Newsletter

Sign up for a free monthly roundup of security news, bulletins, and guidance for IT pros and developers.