Exploitability Index Improvements Now Offer Additional Guidance

In October of 2008, Microsoft published its first Exploitability Index: a rating system that helps customers identify the likelihood that a specific vulnerability would be exploited within the first 30 days after bulletin release.

As of this month, we are making some changes to the rating system to make vulnerability assessment more clear and digestible for customers. Specifically, we will be publishing two Exploitability Index ratings per vulnerability- one for the most recent platform, the other as an aggregate rating for all older versions of the software. This change makes it easier for customers on recent platforms to determine their risk given the extra security mitigations and features built in to Microsoft’s newest products; under the previous system, vulnerabilities were given an aggregate rating across all product versions.

 

How do we build an Exploitability Index?

Each vulnerability rating is based on a thorough review by the MSRC Engineering team, as well as close cooperation with a number of key partners. The ratings are qualitative: our team does an in-depth technical analysis of the vulnerability in question, and identifies the likelihood that an experienced exploit developer would be able to exploit the vulnerability. Some great examples of these types of reviews can be found on the SRD blog here and here.

We have received feedback in the past that the Exploitability Index did not take into account more recent mitigations implemented in our operating systems. For instance, Windows 7 hosts Address Space Layout Randomization (ASLR), a mitigation technique which repositions code fragments in memory, and makes it much harder for an attacker to write a reliable exploit. This functionality is not available by default on older operating systems such as Windows XP.

If consistent exploit code was considered likely for any supported version, despite being made significantly more difficult with ASLR, the Exploitability Index rating of that vulnerability would receive Microsoft’s highest rating of "1," indicating that a reliable exploit within 30 days is likely. While this is accurate for the older version, it does not correctly reflect risk for users with Windows 7.

 

Rating the Latest Platform Separately from Older Platforms

As of this month, we will split out the Exploitability Index into a rating for the most recent version of the software, and an aggregate rating for all older versions. In the scenario above, the rating for Windows 7 could be “2" whereas the rating for all other platforms would be "1”. This more accurately reflects risk to customers that keep their environment updated with the latest product releases.

 

Assessing Denial of Service Risk

An additional item we are now providing with the Exploitability Index, is an assessment of the Denial of Service risk a vulnerability poses. In the case of remote code execution vulnerabilities, an issue that is difficult to exploit may still be used to crash a computer. Even when an attacker cannot control memory addresses sufficiently to execute code, he may still be able to corrupt memory sufficiently to stop the computer from responding.

For IT administrators, it is important to understand whether the denial of service will be “permanent,” in which case the program or operating system exits unexpectedly, such that the system will need to be restarted; or “temporary,” in which case the program or operating merely becomes unresponsive during the attack, but eventually recovers. In the example table below, for CVE-2011-0673, the table indicates that an attacker who attempts to exploit the service, even when failed, may render the system entirely unavailable. For administrators of internet-facing services, this can often be the difference between a highly important, and insignificant vulnerability.

 

An Example of Our New Exploitability Index Rating System

To help you prepare for these changes in the May release, we are providing an example of these changes applied to three different CVEs from the April Bulletin Release:

Bulletin

CVE

CVE Title

Code Execution Exploitability Assessment for Latest Software Release1

 

Code Execution Exploitability Assessment for Older Software Release2

DOS  Exploitability Assessment3

Key Notes

MS11-021

CVE-2011-0097

 

Excel Integer Overrun Vulnerability

2 – Inconsistent exploit code likely

1 – Consistent exploit code likely

Temporary

(None)

MS11-029

CVE-2011-0041

 

GDI+ Integer Overflow Vulnerability

Not affected

1 - Consistent exploit code likely

Temporary

 (None)

MS11-034

CVE-2011-0673

Win32k Null Pointer De-reference vulnerability

Not affected

 

1 – Consistent exploit code likely

Permanent

(None)

 

1 The Latest Software Release refers to the latest supported release of the software as listed in both the "Affected Software" and "Non-Affected Software" tables in the bulletin

2 The Older Software Release refers to any other version of the software as listed in both the "Affected Software" and "Non-Affected Software" tables in the bulletin

In the case of CVE-2011-0097, the most recent version of Microsoft Office, additional mitigations are in place that would make exploitation less reliable. For CVE-2011-0041, the latest version of the product, Windows 7, was not affected at all.

CVE-2011-0673 is a local elevation of privilege vulnerability which could lead to a permanent Denial of Service, and may require the machine to be restarted in order to restore functionality. Again, the latest version of the product was not affected by this issue.

In the table, the "Latest Software Release" is always the very latest version listed across both the "Affected Software" and "Non-Affected Software" tables in the security bulletin. The Exploitability Index Assessment for the "Older Software Release" is always the highest rating across any other platform listed in either of these tables. In the case of a complex security bulletin, where for instance both Microsoft Office and Microsoft Windows are affected, the Exploitability Index Assessment for the "Latest Software Release" will be the highest across both software products.

For instance, if the exploitability index assessment for Windows 7 Service Pack 1 is "1," and for Office 2010 is "2," the rating in the “Latest Software Release” column will be "1”.

 

A historical perspective

At Microsoft, we have been collecting ratings internally in this way for the last eight months. Out of a total of 256 ratings, we found that 97 issues were less serious, or not applicable on the latest version of the product. In contrast, only seven cases affected the most recent product version and not the older platforms.

 

Some changes, but the same goal

Our goal in publishing Exploitability Index ratings is to make it easier for enterprises to prioritize which updates to install first. We understand that some customers may not be able to install all updates at the same time. By giving an assessment of the exploitability and impact, of an issue, we hope to support IT administrators in making rational decisions on which security updates to install first. We hope these changes prove useful in your monthly assessment of our security updates!

 

Maarten Van Horenbeeck
Senior Security Program Manager
EcoStrat