Today is the day! At Blackhat in August we announced two significant changes to our bulletin release process and today it is the first time this actually kicks in.
Just to recapitulate: What did we change?
We introduced the Microsoft Active Protections Program which is to me a major shift in policy. Up to now we did our best to make sure that everybody got the information on a fixed vulnerability at the same time. Over time however, the threat landscape shifted dramatically. A few years ago it took the "researcher" (actually the bad guys are the ones we are concerned of) a few days to develop and exploit to any given vulnerability. Today we are at a few hours at best. Therefore we decided to change our policy and make the information about the vulnerability available to a well-defined and limited set of vendors just in time for them to prepare signatures. The idea is that these vendors can then protect their (and with that our) customers immediately at the moment of the release of the update.
I often get now the questions from customers: "We want this information as well, how can I join". As I stated above: We are talking about a well-defined and limited set of vendors. Here you find the set of criteria from the web page mentioned above:
The second change is the Exploitability Index. This Index will make it easier for you to prioritize the Security Updates to be rolled out in your environment. This is actually something a lot of customers told us over and over again: They like the way we do Security Updates (at least if you can talk of "they like" when it comes to security updates J) but they would like to know how likely it is that we will see an exploit on the net. We are now doing our best to give you our assessment and we start this process as of today. So, if you look at today's bulletin overview you will see the index referring to three different levels:
So, if you look at today's release, the situation looks as follows:
Exploitability Index Assessment
Vulnerability in Microsoft Office Could Allow Information Disclosure (957699)
2 - Inconsistent exploit code likely
Functioning exploit code could be created. However, the severity impact is limited as the vulnerability allows spoofing in a dialog in specific Web application scenarios only. As a result, this may get little attention from attackers.
Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (956416)
1 - Consistent exploit code likely
I hope that this really helps to protect our customers and the ecosystem. Your feedback is – as always – very welcome