Skip to main content

 

 

Microsoft Exploitability Index

The Microsoft Exploitability Index helps customers prioritize security update deployment by providing information on the likelihood that a vulnerability addressed in a Microsoft security update will be exploited.

Why Microsoft Developed the Exploitability Index

Microsoft developed the Exploitability Index in response to customer requests for additional information to further evaluate risk.Through Microsoft's monthly security update release, the company provides customers with information about proof-of-concept code, exploit code, or active attacks addressed by our security updates, at the time of their release.

How the Exploitability Index Works

Microsoft evaluates the potential exploitability of each vulnerability of Important or Critical severity associated with a Microsoft security update and then publishes the exploitability information as part of the monthly Microsoft security update details. If after publishing the details Microsoft determines that the Exploitability Index Assessment warrants a change, it will change the assessment and notify customers through technical security notifications. The company will not update the assessment when exploit code is posted that matches the existing exploitability information.

This exploitability information includes:

  • The CVE ID associated with the specific vulnerability
  • The exploitability assessment for code execution on the latest software release
  • The aggregate exploitability assessment for code execution on older software releases
  • A description of the potential for denial of service

We define the "latest software release" as the most recent version of the application or platform listed in the "Affected Products" table in the security update details. For "older software releases," the highest rating pertains to all other supported releases, as listed in the "Affected Software" tables in the details.

For example, one vulnerability addressed in a March 2017 security update has the following Exploitability Assessment:

Publicly DisclosedExploitedLatest Software ReleaseOlder Software ReleaseDenial of Service
NoNo1 – Exploitation More Likely1 – Exploitation More LikelyNot Applicable


In those scenarios where multiple product series are affected, for instance a vulnerability that affects both Windows and Office, the "latest software release" rating reflects the highest risk level across both products. In this case, if the Exploitability Assessment on the latest version of Office is "1," and on the latest version of Windows is "2," the rating will reflect "1."

In both cases, the Exploitability Index uses one of four values to communicate to customers the likelihood of a vulnerability being exploited, based on the vulnerabilities addressed by the Microsoft security bulletin.

Exploitability Index AssessmentShort Definition
0Exploitation Detected
1Exploitation More Likely *
2Exploitation Less Likely **
3Exploitation Unlikely ***


0 – Exploitation Detected

Microsoft is aware of an instance of this vulnerability being exploited. As such, customers who have reviewed the security update and determined its applicability within their environment should treat this with the highest priority.

1 – Exploitation More Likely

Microsoft analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit this vulnerability. Moreover, Microsoft is aware of past instances of this type of vulnerability being exploited. This would make it an attractive target for attackers, and therefore more likely that exploits could be created. As such, customers who have reviewed the security update and determined its applicability within their environment should treat this with a higher priority.

2 – Exploitation Less Likely

Microsoft analysis has shown that while exploit code could be created, an attacker would likely have difficulty creating the code, requiring expertise and/or sophisticated timing, and/or varied results when targeting the affected product. Moreover, Microsoft has not recently observed a trend of this type of vulnerability being actively exploited in the wild. This makes it a less attractive target for attackers. That said, customers who reviewed the security update and determined its applicability within their environment should still treat this as a material update. If they are prioritizing against other highly exploitable vulnerabilities, they could rank this lower in their deployment priority.

3 – Exploitation Unlikely

Microsoft analysis shows that successfully functioning exploit code is unlikely to be utilized in real attacks. This means that while it might be possible for exploit code to be released that could trigger the vulnerability and cause abnormal behavior, the full impact of exploitation will be more limited. Moreover, Microsoft has not observed instances of this type of vulnerability being actively exploited in the past. Thus, the actual risk of being exploited from this vulnerability is significantly lower. Therefore, customers who have reviewed the security update to determine its applicability within their environment could prioritize this update below other vulnerabilities within a release.

The DoS Exploitability Assessment can reflect either of the following:

DoS Exploitability AssessmentShort Definition
TemporaryExploitation of this vulnerability may cause the operating system or application to become temporarily unresponsive, until the attack is halted, or to exit unexpectedly but automatically recover. The target returns to the normal level of functionality shortly after the attack is finished.
PermanentExploitation of this vulnerability may cause the operating system or application to become permanently unresponsive, until it is restarted manually, or to exit unexpectedly without automatically recovering.


If a vulnerability could allow a permanent denial of service, it requires an administrator to start, restart, or reinstall all or parts of the system. It should be noted that any vulnerability that automatically restarts the system is also considered a permanent DoS. Also, client applications that are typically intended for interactive use, such as Microsoft Office releases, would not get a DoS Exploitability Assessment.

Important Terms and Definitions

Exploit Code – A software program or sample code that, when executed against a vulnerable system, uses the vulnerability to spoof attacker identity, tamper with user or system information, repudiate attacker action, disclose user or system information on the server side, deny service to valid users, or elevate privileges for the attacker. For example, if a vulnerability had a security impact of remote code execution, Exploit Code could cause remote code execution to occur when run against a target system.

Trigger a Vulnerability – The ability to reach the vulnerable code, but not always achieving the maximum impact. For example, it may be easy to trigger a remote code execution vulnerability, but the resulting effect may only be a denial of service.

Frequently Asked Questions (FAQ) Related to the Exploitability Index

Q: What is the Microsoft Exploitability Index?

A: The Microsoft Exploitability Index provides additional information to help customers prioritize their deployment of the monthly security updates. Microsoft designed this index to provide customers guidance concerning the likelihood of exploitation, based on each vulnerability addressed by Microsoft security updates.

Q: Why did Microsoft create the Exploitability Index?

A: Customers asked for more information to help them prioritize their deployment of Microsoft security updates each month, specifically requesting details about the likelihood of exploitation for the vulnerabilities addressed in security updates. The Exploitability Index provides guidance about the actual risk of exploitation of a vulnerability at the time of the security bulletin's release.

Q: How are vulnerabilities rated?

A: Microsoft Exploitability Index focuses on two aspects of a vulnerability to build its ratings:

  1. Current exploitation trends, based on telemetry data and awareness of exploitation of a particular type of vulnerability in a particular product,
  2. The cost and reliability of building a working exploit for the vulnerability, based on a technical analysis of the vulnerability.

Q: Is this a truly reliable rating system?

A: While reliably predicting activity within the security ecosystem is always difficult, there are three reasons why this system should be useful.

First, over the last few years we've realized that many security researchers analyze the updates associated with Microsoft's security updates the day they are released to create and evaluate protections. In doing so, many of these researchers also create exploit code to test them. The methodology used to develop this exploit code is like the one Microsoft uses to determine the likelihood of exploit code release. Microsoft analyzes the updates themselves, the nature of the vulnerability, and the conditions that must be met for an exploit to execute successfully.

Second, not all vulnerabilities resolved by our security updates are exploited. A vulnerability may well be technically exploitable with a high degree of reliability, but it may never be exploited. We continuously monitor and track exploitation activity to keep up to date with current trends. This in turn informs our opinion of what constitutes a more attractive vulnerability over similar vulnerabilities, and enables us to more accurately communicate an actual risk, rather than a potential one from the vulnerabilities we patch.

Finally, we're also partnering with protection providers through the Microsoft Active Protections Program (MAPP), working with them to help validate our predictions each month – thereby using a community approach to ensure better accuracy through information sharing.

Q: How is the Exploitability Index different from the Security Update Severity Rating system?

A: The Security Update Severity Rating System assumes that exploitation will be successful. For some vulnerabilities where exploitability is high, this assumption is very likely to be true for a broad set of attackers. For other vulnerabilities where exploitability is low, this assumption may only be true when a dedicated attacker puts a lot of resources into ensuring their attack is successful. Regardless of the Severity or Exploitability Index rating, Microsoft always recommends that customers deploy all applicable and available updates; however, this rating information can assist sophisticated customers in prioritizing their approach to each month's release.

Q: How are Denial of Service, Tampering, Information Disclosure, or Spoofing issues rated?

A: The Exploitability Index does not differentiate between vulnerability types. It focuses on the likelihood of exploitation of each vulnerability within the range of their full impact potential. Thus, any vulnerability, whether it is Remote Code Execution, Tampering or other, could be rated any of the Exploitability Index ratings.

Q: What happens when newly emerging information requires an update to the Exploitability Index rating?

A: The ability to rate the possible exploitation of vulnerabilities is an evolving science, and new techniques for exploitation in general, or unique techniques specific to a vulnerability, or new trends in detected exploits of particular products may be discovered that could change the Exploitability Index rating. However, the goal of the Exploitability Index is to help customers prioritize those updates for the most current monthly release. Therefore, if there is information that would change an assessment released in the first month of a security release, Microsoft will update the Exploitability Index. If information becomes available in subsequent months, after most customers have made their prioritization decisions, the Exploitability Index will not be updated as it is no longer useful to the customer. When an Exploitability Index rating is corrected in a way that reflects increased risk to customers, the security update revision is incremented at a major version number (for instance, from 1.0 to 2.0). When risk is adjusted downwards, the update revision is incremented at a minor version number (for instance, from 1.0 to 1.1).

Q: How does the Exploitability Index relate to the Common Vulnerability Scoring System (CVSS) and other rating systems?

A: The Exploitability Index is separate and not related to other rating systems. However, the MSRC is a contributing member to the Common Vulnerability Scoring System (CVSS), and Microsoft shares its experience and customer feedback in building and releasing the Exploitability Index with the working group in order to help ensure the CVSS is effective and actionable.