Commentary
Microsoft Readies For Likelihood Of Attacks
We provided you the heads up about the Microsoft "Exploitability Index" a couple of months ago when the software company announced the new index, designed to predict the likelihood its security vulnerabilities would be attacked. It's an interesting idea, but will it have much value for practitioners?We provided you the heads up about the Microsoft "Exploitability Index" a couple of months ago when the software company announced the new index, designed to predict the likelihood its security vulnerabilities would be attacked. It's an interesting idea, but will it have much value for practitioners?This month's patch Tuesday, which is tomorrow, will be when Microsoft first attaches this exploit index to its current threat ratings. Threat ratings, as you probably know, are ranked in a series of "low" through "critical" depending on the nature of the flaw. This is how the exploitability index will look, from a story that detailed Microsoft's announcement:
1) Consistent Exploit Code Likely 2) Inconsistent Exploit Code Likely, and 3) Functioning Exploit Code Unlikely
More Security Insights
White Papers
- Mobile BI: Actionable Intelligence for the Agile Enterprise
- How To Regain IT Control In An Increasingly Mobile World - by BlackBerry
Reports
More >>Webcasts
- Outsourcing Security: What Every Potential Cloud Security Customer Should Know
- Maximize ROI with Database Consolidation onto Private Clouds
The first one means a software flaw could be attacked with highly predictable results, and would probably be very easy to exploit. This would be very bad, as exploits would surface, and would be turned into weapons for mass use. This would be a critical vulnerability, and would need to be patched. Designation two could be bad, or it could be not-so-bad. Maybe an attacker could create an exploit, maybe not. And how the at-risk system reacts to the attack may not be very predictable. The third designation, Functioning Exploit Code Unlikely, is obvious: Microsoft has determined that developing a useful, functional attack tool would not be likely.
My opinion from back then hasn't changed from my original post, which is that this won't be of much value to operations teams trying to assess their risk. Tomorrow, and in the months ahead, we'll see if it works as intended.
Related Reading
 |
To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy. |
|
T-Shirt Giveaway: Each week we're selecting one great comment from our readers. The author of the comment will receive an InformaitonWeek Community t-shirt. So get posting! |
Subscribe to RSSResource Links
This Week's Issue
Technology Whitepapers
- Creating the Enterprise-Class Tablet Environment - by Yankee Group
- How To Regain IT Control In An Increasingly Mobile World - by BlackBerry
- The BlackBerry PlayBook tablet's Good Bones - by BlackBerry
- Red Alert: Why Tablet Security Matters - by BlackBerry
- New Visual and Wizard-Driven Paradigms for Exploring Data and Developing Analytic Workflows
Featured Resource
This is your portal to all the news, product information, technical data, and other information related to the topic of computer user authentication and certification. Visit us to find out how to ensure that computer users are who they say they are.
Learn More
