A consortium of software and security companies has come up with the first unified language for rating the vulnerabilities that plague computer operating systems, opening them to attack from viruses and hackers. The system will provide system administrators with the first quick way to prioritise the dozens of software patches they receive each week, say its creators.
The Common Vulnerability Scoring System (CVSS) was designed by engineers from more than seven companies, including Microsoft, Cisco Systems, Symantec and Qualys, as part of their role on the US National Infrastructure Advisory Council, a branch of the US Department of Homeland Security.
A "vulnerability" is a programming error that enables an attacker or a virus to gain entry to a computer - allowing access to confidential information, the running of malicious programs or even crashing the system.
CVSS is a series of measurements - or "metrics" - designed to rate the severity and urgency of a vulnerability. "It's a new way to talk about vulnerability severity," says Mike Schiffman of Cisco Systems, based in San Jose, California, US, who presented CVSS at the RSA Security Conference in San Francisco, US, on Thursday.
The system should be a great help to system administrators who currently have to wade through 30 to 50 new vulnerability alerts each week with no good method to prioritise the installation of the associated patches, explains Gerhard Eschelbeck of Qualys in Redwood Shores, California.
"It's an important and tricky problem," says Bruce Schneier, a security consultant and analyst with Counterpane Security in Mountain View, California. "There are too many vulnerabilities for managers to pay attention to all of them. We need a way to prioritise them and to know in real time which ones are important."
Qualys plans to start including CVSS scores along with the list of vulnerabilities it already sends out with its free newsletter - the Sans Top 20 - later this year. Eschelbeck hopes that Microsoft will also start releasing these scores alongside the vulnerabilities they make public. "The more people that use it, the better it's going to work," says Schiffman.
Currently, different companies have their own scoring systems, causing confusion for systems administrators.
The baseline CVSS metric assesses a vulnerability according to seven characteristics, including the extent to which the vulnerability gives the hacker access to confidential information on the hard drive, allows the hacker to modify or destroy data and allows a hacker to crash the computer. It also takes into account whether a hacker needs to know passwords to exploit the vulnerability.
A time-related CVSS metric indicates how old the vulnerability is. The older it is, the more likely hackers are to have developed exploit code or even a virus to take advantage of it. A personal metric can also be calculated by individual systems administrators based on, for example, how many Macs versus PCs the network has.
"I think it is a good idea," says Ivan Arce, a vulnerabilities expert at Core Security Technologies in Boston, Massachusetts, US. But he suggests that the software vendors could introduce a bias by inflating a CVSS score for vulnerability alerts concerning their own software. This might make it harder for the end user to sue them, should a virus writer later exploit the vulnerability in their software.