Prioritizing Microsoft Security Update Deployment Using Severity Ratings and the Updated Exploitability Index
Published: June 22, 2011
Author: Ken Malcolmson, Product Marketing Manager, Microsoft Corporation
Software vulnerabilities are an industry-wide problem. Software vulnerabilities are weaknesses in software that may enable an attacker to compromise the integrity, availability, or confidentiality of that software. Although the overall number of software vulnerabilities disclosed each year has been in decline since 2006 (see Microsoft Security Intelligence Report), there are still thousands of new vulnerabilities disclosed across the software industry each year, and there will continue to be vulnerabilities as long as human beings are creating complex software products.
Software providers address vulnerabilities in different ways, from regularly scheduled update releases to ad-hoc releases for specific problems. IT professionals need to be aware of any security updates that are available for software (from any software manufacturer) that is deployed in their environment. For Microsoft products, IT professionals can subscribe to free, comprehensive security alertsthrough the Microsoft Technical Security Notifications on TechNet.
After determining which updates apply in a specific environment, the IT professional then needs to understand how to prioritize those updates for deployment.
Microsoft has established a predictable process for releasing security updates on the second Tuesday of each month. Each security update carries two pieces of information that help with the prioritization process: the severity rating and the Exploitability Index.
Each of these pieces of information taken separately gives an indication of the risk of a vulnerability being exploited, but both pieces taken together can add a new dimension of information that can help with prioritization decisions. Let’s examine these two items in more detail, and walk through an example.
Microsoft severity ratings translate to the maximum potential impact of the attack. Microsoft evaluates each issue and quantifies an issue’s impact objectively on a technical level for default configurations. Based on this analysis and the maximum security impact, Microsoft supplies a rating in the security bulletin.
Microsoft severity rating system
Exploitability Index (updated May 2011)
The Exploitability Index is designed to provide additional information to help customers better prioritize the deployment of Microsoft security updates. This index provides customers with guidance on the likelihood of functioning exploit code being developed for vulnerabilities addressed by Microsoft security updates, within the first 30 days of that update's release. Additionally, the Exploitability Index indicates the potential likelihood that an exploit could cause a denial of service (Dos) on an affected system. The Exploitability Index has three ratings.
Microsoft Exploitability Index system
In May 2011, the Exploitability Index was updated to provide separate ratings for the latest software release of the affected product (the most recent version of the application or platform listed in the "Affected Software" and "Non-Affected Software" tables in the security bulletin), and for older software releases (all other supported releases, as listed in the "Affected Software" tables in the security bulletin). For example, an Exploitability Index assessment of a vulnerability previously addressed in a security bulletin would be as follows:
In the case above, older software releases were likely to see consistent exploit code within 30 days, whereas the latest software releases were only likely to see inconsistent exploit code. An IT professional managing an environment consisting solely of the latest software releases may assign a lower priority to deploying this update.
For scenarios in which multiple product series are affected—for instance, a vulnerability that affects both Windows and Office—the "latest software release" rating reflects the highest risk level across both products. In this case, if the Exploitability Assessment of the latest version of Office is "1," and of the latest version of Windows is "2," the rating will reflect "1."
The DoS Exploitability Assessment may reflect one of the following:
If a vulnerability could allow a permanent denial of service, it requires an administrator to start, restart, or reinstall all or parts of the system. It should be noted that any vulnerability that automatically restarts the system is also considered a permanent DoS. Also, client applications that are typically intended for interactive use, such as Microsoft Office releases, would not get a DoS Exploitability Assessment.
What does this all mean?
Let’s use a simple example of fictitious security update MS11-0XX:
Based on the information above an IT professional may assume that all Windows clients would require updating as soon as possible due to the potential impact of exploitation of the vulnerability (remote code execution). However, let’s add Exploitability Index ratings:
Now we can see that the risk for the latest software releases (say, for this example, Windows 7) is lower than for older software releases (Windows Vista and older). This information enables the IT professional to make a different priority decision for clients running the latest software release (perhaps marking the update to be deployed during a standard client management event) than for clients running older software versions (perhaps an emergency patching event). Combined, the severity rating and the Exploitability Index information can help minimize disruption to IT professionals and the businesses they support.
About the Author
Ken Malcomson is a product marketing manager at Microsoft, working with the Microsoft Security Response Center and the Microsoft Malware Protection Center. Ken has more than 25 years experience in the IT industry, with a particular focus on security.