Why Exploitability is Key to Risk
Commentary: Even if it's not perfect, there's a lot to like about Microsoft's Exploitability Index.
On any given day I see reports of various security issues allegedly affecting applications and Web sites. Often in my own professional estimation, I judge many issues to be non-issues but it's not always an easy call to make. Some security vulnerabilities are difficult to execute, while some are trivial but still could leave users at risk.
How is an enterprise administrator or a regular end-user to know what they need to worry about? The best answer could well be coming from Microsoft.
Sure vendors and security research firms have long labeled security issues with tags like "Critical" for the worst issues. Though for the most part, rating systems for vulnerabilities have not been standardized. Even worse in my view, is that there is often a contradiction between what constitutes a Critical vulnerability. I've written more times that I can count about such incidents where a vendor labels an issue with a lower criticality than I (or others) would give it.
Oracle and Cisco use a standardized approach called the Common Vulnerability Scoring System (CVSS). The general idea behind CVSS is to have a standardized metric to score the relative severity of a reported vulnerability. Not all enterprises have the ability to fix everything in a patch set right away so CVSS is supposed to help prioritization based on risk.
Though CVSS is a great idea and one that two of the largest technology vendors in the world use – from my simple world view it doesn't quite tackle the issue that I personally see as the one where all risk flows from. That risk is exploitability.
I want to know if a vulnerability can be exploited. It is only if a vulnerability can be exploited that I am immediately at risk. Yes that's a very simplistic view point but it's reality. Theoretical attacks are something that should be protected against but it is the risk from attacks that could be executed today that I'm most worried about.
The Exploitability Index
That's where the new Exploitability Index from Microsoft does something really valuable. The Exploitability Index is a new initiative from Microsoft that was announced this past summer and first used in the October Patch Tuesday update.
As opposed to using some kind of aggregate scoring system which ranks multiple categories of risk, the Exploitability Index is simple and straightforward. If a vulnerability can be exploited and there is consistent attack code already available or is likely to be available inside of 30 days that's the highest priority.
Makes good sense to me. It's an issue that can be exploited that I would want to fix first knowing that it likely represents the highest degree of risk.
Exploitability means that Microsoft has a finger on the pulse of security research and is tracking the so called exploits in the wild. Considering Microsoft's track record on software that is exploitable, Internet Explorer or otherwise – this is no small task.
But other fixes required
The flip side of using the Exploitability index as a tool for determining what you may be at risk from is that you may feel safe in not fixing issues that aren't easily exploitable. Frankly that would be a mistake as security research can move quickly and while Microsoft has immense resource they're aren't omnipotent.
Next page: Foregoing the exploitability route