Determining
whether a software patch has to be applied today, next week, or next month is a
major headache for information technology managers. While many software makers
offer some system to rank the severity of security flaws, network
administrators are still left to create their best estimate of how long they
have before online miscreants start using a vulnerability to attack systems.
Security
intelligence firm iDefense, for example, has a team of security experts who
focus on researching online threats and figuring out which flaws will be
targeted by the next attacks.
Advertisement
“I
have six guys on my staff whose sole job is to find vulnerabilities in
enterprise-level software,” says Rick Howard, director of intelligence for
iDefense. “So when they see a piece of code, they have a sense about
whether it is easy to exploit or not easy to exploit. They spend two days of
work trying to figure that out.”
This story is only available to subscribers.
Don’t settle for half the story.
Get paywall-free access to technology news for the here and now.
Microsoft
is trying to make figuring it out a lot easier. Last year, the company launched
a program to give IT managers more information by developing a three-level
ranking system, known as the Exploitability Index. The program gauges whether a
vulnerability is the equivalent of low-hanging fruit for online attackers or a
much tougher nut to crack. The three levels are:
Consistent exploit
code likely
Inconsistent exploit
code likely
Functional exploit
code unlikely
Microsoft
only considers the question of exploitability for a 30-day period and does not
try to forecast beyond that.
In a
study released in July, iDefense found that Microsoft did a (relatively)
respectable job of predicting whether an exploit would be released.
Approximately one-third of all vulnerabilities assigned an Exploitability Index
of one–“consistent exploit code likely”–were actually exploited in
the 30 days following the release of the patch, while only one in five of the
remaining vulnerabilities was exploited. Still, calling one-third correctly
means that Microsoft thought it likely that the other two-thirds of
vulnerabilities would be exploited and they were not.
“It is hard to figure out
whether [researchers and attackers] will go public in 30 days,” says
Howard. “It is not a bad indicator; it’s still not the best
indicator.”
So far, there is little data on
how the bad guys are using the Exploitability Index to focus their own
efforts–an initial worry when Microsoft announced the program. The attackers could
be focusing on quickly finding the easy-to-exploit vulnerabilities–those
ranked first on the Exploitability Index–before companies plug the security
holes, or they could focus on finding ways of reliably exploiting the harder flaws,
expecting that companies might not patch those as quickly.
“Attackers know that
companies and home users don’t patch their stuff very well,” Howard says,
predicting, that “the harder stuff–that is the higher-end hackers–they
will save those for bigger projects.”