Microsoft Exploitability Index at Black Hat
Microsoft wants to buddy up to Black Hat attendees by discussing its new Exploitability Index.
A Better View of Microsoft Security? - InternetNews
There's also the community-driven Microsoft Active Protections Program (MAPP) that gives advance notice on vulnerabilities and upcoming patches to partners. Does this mean good-bye to the finger pointing among software vendors after a disastrous patch?
The new exploitability index will supplement the patch Tuesday announcement with a new metric that will help users understand the risks that a given vulnerability may pose.
In order to gauge risk, Microsoft will detail with the exploitability index, whether or not exploit code exists or is likely to exist for a given vulnerability. The general idea is to help Microsoft customers to prioritize the importance of updates based on their likelihood of being exploited.
...Reavey explained that Microsoft will look at classifying vulnerabilities into three broad buckets. The first bucket will be highly exploitable vulnerabilities where Microsoft is of the opinion that exploit code that will work consistent is likely to be released inside of the first 30 days of the Microsoft patch being made available. The second bucked is if there is the possibility of an inconsistent exploit code that being produced that might work some of the time. The third bucket will identify vulnerabilities for which Microsoft believes it is unlikely that exploit code will be released inside of 30 days.