Microsoft Exploitability Index at Black Hat
Results 1 to 2 of 2

Thread: Microsoft Exploitability Index at Black Hat

Hybrid View

  1. #1
    Senior Member phernandez's Avatar
    Join Date
    Aug 2003
    Location
    NYC
    Posts
    246

    Microsoft Exploitability Index at Black Hat

    Microsoft wants to buddy up to Black Hat attendees by discussing its new Exploitability Index.

    A Better View of Microsoft Security? - InternetNews

    The new exploitability index will supplement the patch Tuesday announcement with a new metric that will help users understand the risks that a given vulnerability may pose.

    In order to gauge risk, Microsoft will detail with the exploitability index, whether or not exploit code exists or is likely to exist for a given vulnerability. The general idea is to help Microsoft customers to prioritize the importance of updates based on their likelihood of being exploited.

    ...Reavey explained that Microsoft will look at classifying vulnerabilities into three broad buckets. The first bucket will be highly exploitable vulnerabilities where Microsoft is of the opinion that exploit code that will work consistent is likely to be released inside of the first 30 days of the Microsoft patch being made available. The second bucked is if there is the possibility of an inconsistent exploit code that being produced that might work some of the time. The third bucket will identify vulnerabilities for which Microsoft believes it is unlikely that exploit code will be released inside of 30 days.
    There's also the community-driven Microsoft Active Protections Program (MAPP) that gives advance notice on vulnerabilities and upcoming patches to partners. Does this mean good-bye to the finger pointing among software vendors after a disastrous patch?

  2. #2
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,191
    There's also the community-driven Microsoft Active Protections Program (MAPP) that gives advance notice on vulnerabilities and upcoming patches to partners. Does this mean good-bye to the finger pointing among software vendors after a disastrous patch?
    I can't say that I can recall any "disastrous patches" recently. Most of the problems that I have encountered have been when a patch has not installed correctly for some reason. That can result in instability and unpredictability.

    I tend to use this free (to private users) software for a "second opinion" as the MS update history sometimes does not spot a failed installation.

    http://www.belarc.com/free_download.html

    As for the finger pointing, I think that is a little unfair? MS have always taken the stance that they don't support software that hooks the Windows kernel. OK a lot of security products do just this, in a variety of different ways.

    I would say that it is up to the third party vendor to ensure that their product still works, particularly if MS give them advanced warning.

    I do find it slightly unusual that MS don't seem to test their updates with major third party software, if only as a public relations exercise to their customers. In particular I am thinking of security products, that are the most likely items to have issues?

    A couple of days ago I fired up a machine that I hadn't had on the internet for a few weeks. MS downloaded their updates and asked permission to install them. At that point ZoneAlarm sent me a popup warning me to install their update first. I thought that was rather good
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

Similar Threads

  1. August security hotfixes
    By mohaughn in forum Microsoft Security Discussions
    Replies: 1
    Last Post: August 9th, 2005, 08:37 PM
  2. October MS updates
    By mohaughn in forum Microsoft Security Discussions
    Replies: 2
    Last Post: October 13th, 2004, 05:31 AM
  3. Oracle help!!!!
    By hjack in forum Code Review
    Replies: 0
    Last Post: March 7th, 2004, 09:20 PM
  4. Securing Windows 2000 and IIS
    By spools.exe in forum Microsoft Security Discussions
    Replies: 0
    Last Post: September 15th, 2003, 10:47 PM
  5. Lol Now I Know Why Everyone Hates Microsoft!!!
    By NUKEM6 in forum Non-Security Archives
    Replies: 10
    Last Post: January 24th, 2002, 06:21 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •