Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

A View from Robert Lemos

The Tricky Task of Timing Exploits

A year after Microsoft kicked off a three-level grading system for vulnerabilities, researchers still question its accuracy.

  • August 24, 2009

Determining whether a software patch has to be applied today, next week, or next month is a major headache for information technology managers. While many software makers offer some system to rank the severity of security flaws, network administrators are still left to create their best estimate of how long they have before online miscreants start using a vulnerability to attack systems.

Security intelligence firm iDefense, for example, has a team of security experts who focus on researching online threats and figuring out which flaws will be targeted by the next attacks.

“I have six guys on my staff whose sole job is to find vulnerabilities in enterprise-level software,” says Rick Howard, director of intelligence for iDefense. “So when they see a piece of code, they have a sense about whether it is easy to exploit or not easy to exploit. They spend two days of work trying to figure that out.”

Microsoft is trying to make figuring it out a lot easier. Last year, the company launched a program to give IT managers more information by developing a three-level ranking system, known as the Exploitability Index. The program gauges whether a vulnerability is the equivalent of low-hanging fruit for online attackers or a much tougher nut to crack. The three levels are:

  1. Consistent exploit code likely
  2. Inconsistent exploit code likely
  3. Functional exploit code unlikely

Microsoft only considers the question of exploitability for a 30-day period and does not try to forecast beyond that.

In a study released in July, iDefense found that Microsoft did a (relatively) respectable job of predicting whether an exploit would be released. Approximately one-third of all vulnerabilities assigned an Exploitability Index of one–“consistent exploit code likely”–were actually exploited in the 30 days following the release of the patch, while only one in five of the remaining vulnerabilities was exploited. Still, calling one-third correctly means that Microsoft thought it likely that the other two-thirds of vulnerabilities would be exploited and they were not.

Microsoft has done well predicting the relative frequency that software flaws might be used in an attack. (Source: iDefense’s “Microsoft Exploitability Index: A Review,” modified to correct errors)

“It is hard to figure out whether [researchers and attackers] will go public in 30 days,” says Howard. “It is not a bad indicator; it’s still not the best indicator.”

So far, there is little data on how the bad guys are using the Exploitability Index to focus their own efforts–an initial worry when Microsoft announced the program. The attackers could be focusing on quickly finding the easy-to-exploit vulnerabilities–those ranked first on the Exploitability Index–before companies plug the security holes, or they could focus on finding ways of reliably exploiting the harder flaws, expecting that companies might not patch those as quickly.

“Attackers know that companies and home users don’t patch their stuff very well,” Howard says, predicting, that “the harder stuff–that is the higher-end hackers–they will save those for bigger projects.”

Tech Obsessive?
Become an Insider to get the story behind the story — and before anyone else.

Subscribe today
More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe to Insider Plus.
  • Insider Plus {! insider.prices.plus !}*

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Bimonthly print magazine (6 issues per year)

    Bimonthly digital/PDF edition

    Access to the magazine PDF archive—thousands of articles going back to 1899 at your fingertips

    Special interest publications

    Discount to MIT Technology Review events

    Special discounts to select partner offerings

    Ad-free web experience

/3
You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.