Microsoft Exploitability Index at Black Hat

[phernandez]

Microsoft wants to buddy up to Black Hat attendees by discussing its new Exploitability Index.

A Better View of Microsoft Security? - InternetNews

The new exploitability index will supplement the patch Tuesday announcement with a new metric that will help users understand the risks that a given vulnerability may pose.

In order to gauge risk, Microsoft will detail with the exploitability index, whether or not exploit code exists or is likely to exist for a given vulnerability. The general idea is to help Microsoft customers to prioritize the importance of updates based on their likelihood of being exploited.

...Reavey explained that Microsoft will look at classifying vulnerabilities into three broad buckets. The first bucket will be highly exploitable vulnerabilities where Microsoft is of the opinion that exploit code that will work consistent is likely to be released inside of the first 30 days of the Microsoft patch being made available. The second bucked is if there is the possibility of an inconsistent exploit code that being produced that might work some of the time. The third bucket will identify vulnerabilities for which Microsoft believes it is unlikely that exploit code will be released inside of 30 days.

There's also the community-driven Microsoft Active Protections Program (MAPP) that gives advance notice on vulnerabilities and upcoming patches to partners. Does this mean good-bye to the finger pointing among software vendors after a disastrous patch?

[nihil]

There's also the community-driven Microsoft Active Protections Program (MAPP) that gives advance notice on vulnerabilities and upcoming patches to partners. Does this mean good-bye to the finger pointing among software vendors after a disastrous patch?

I can't say that I can recall any "disastrous patches" recently. Most of the problems that I have encountered have been when a patch has not installed correctly for some reason. That can result in instability and unpredictability.

I tend to use this free (to private users) software for a "second opinion" as the MS update history sometimes does not spot a failed installation.

http://www.belarc.com/free_download.html

As for the finger pointing, I think that is a little unfair? MS have always taken the stance that they don't support software that hooks the Windows kernel. OK a lot of security products do just this, in a variety of different ways.

I would say that it is up to the third party vendor to ensure that their product still works, particularly if MS give them advanced warning.

I do find it slightly unusual that MS don't seem to test their updates with major third party software, if only as a public relations exercise to their customers. In particular I am thinking of security products, that are the most likely items to have issues?

A couple of days ago I fired up a machine that I hadn't had on the internet for a few weeks. MS downloaded their updates and asked permission to install them. At that point ZoneAlarm sent me a popup warning me to install their update first. I thought that was rather good