Share
Yesterday, Microsoft officially launched a new feature to their monthly update cycle called Exploitability Index (EI). It predicts the likelihood of functioning exploit code appearing for various patches. The feature is now a part of the monthly Security Bulletin Summary that appears every Patch Tuesday. However, will the Exploitability Index help as it is designed, or will it only paint a target on vulnerable systems?
Will the new Exploitability Index help or hurt IT? (IMG:J.Anderson)
Microsoft created the Exploitability Index to help IT departments prioritize systems patching and updating. In the past, IT departments tested and deployed critical patches first, then important patches, finally moving to the moderate patches. What the EI does is give IT a bookie-like betting platform on the odds of exploit code appearing for any single vulnerability that was patched.
The Exploitability Index has three levels:
Level 1: Exploit code could be created in such a way that an attacker could consistently exploit that vulnerability.
Level 2: Exploit code could be created, but an attacker would likely experience inconsistent results, even when targeting the affected product.
Level 3: Exploit code that functions successfully is unlikely to be released.
“This means that it might be possible for exploit code to be released that could trigger the vulnerability and cause abnormal behavior, but it is unlikely that an attacker would be able to create an exploit that could successfully exercise the full impact of the vulnerability,” Microsoft explains on the scope of Level 3.
As mentioned, before the Exploitability Index, IT departments would likely test and deploy all the critical patches first, with important and moderate patches taking a backseat to the process. However, using the EI as a guide when prioritizing patch deployment, changes the way things were done in the past.
Using October’s patches as an example, IT would have normally placed the four critical issues in testing and readied them for deployment. The six important issues and one moderate issue would get attention down the road.
Yet, thanks to the new feature from Microsoft, you see that three of the important issues (MS08-061, 062, and 066) earned an EI rank of Level 1. One critical issue, MS08-060, is listed as a Level 2. This means instead of four patches, IT now has six patches to look at, seven if you stick with the process of all critical patches get instant attention.
“The Exploitability Index is an important tool for Microsoft customers to utilize in prioritizing and planning the rollout of patches released on Patch Tuesday. The security ratings issued by Microsoft are very important in helping answer the question of how dangerous an exploit could be, but they do not provide an understanding of how likely it is that a hacker may try to exploit the vulnerability,” Don Leatham, senior director solutions and strategy, at Lumension told The Tech Herald.
“The exploitability index answers the second half of the question – for a specific vulnerability, are we likely to see an exploit in the wild. This is critically important for customers that have to prioritize the deployment of Patch Tuesday updates across limited IT resources and demanding change-control policies. The exploitability index does not replace the security ratings system. Both are important. Together they help customers understand how to prioritize updates in a way that intelligently reduces risk to their organizations.”
While the EI is sure to help IT departments taxed on resources, because we all know most IT departments are well understaffed and rarely get a day dedicated to patching systems, the question has to be asked, will this do more harm in the long run than good?
After Patch Tuesday comes and goes, there is usually a 24-48 hour wait before you see valid exploit code online for the various vulnerabilities Microsoft just issued patches for. Why is this? This happens because criminals reverse engineer the patches and develop exploit code for them.
There is serious money in creating exploits for vulnerabilities. An entire cottage industry with many levels has sprung up, seemingly out of nowhere, in the last few years. Gone are the days when Virus writers blast out code for fun and games or reputation points. Now they do it for not only fame, but most importantly, fortune.
Some do it as a means to live, using their skill not in IT helping the good guys, but on the black market slaughtering the innocent users like lambs. Millions of identities are stolen each year, hundreds of thousands of computers infected, all because criminals like to be paid.
The Exploitability Index could lull some IT departments, and even home users, into a false sense of security. For example, what if companies shift and place their patching policy in the hands of the EI Levels assigned by Microsoft, simply because they offer a fast, at-a-glance, risk assessment? This means businesses would be assuming that the Malware authors and criminals would do the same. After all, if Microsoft says that something is highly unlikely, it must mean it’s true.
This assumption can be risky. MS08-058, for example, fixed five issues in Internet Explorer. Two of those issues have an EI rank of Level 1; one has a rank of Level 2, and two of them earn a rank of Level 3.
Of the Level 3 vulnerabilities, CVE IDs 2008-3474 and 2008-3476, Microsoft says it’s possible for exploit code to be released that could trigger the vulnerabilities, but it’s unlikely that an attacker could create an exploit that successfully compromises the system.
CVE ID 2008-3437 says, “Microsoft Internet Explorer 6 and 7 does not properly determine the domain or security zone of origin of web script, which allows remote attackers to bypass the intended cross-domain security policy and obtain sensitive information via a crafted HTML document, aka ‘Cross-Domain Information Disclosure Vulnerability.’”
While this CVE ID within MS08-058 is covered as critical and likely to be patched, does Microsoft really think someone can’t create an exploit for this problem and trick users on IE 6 or IE7 into visiting a website that triggers it? The information could be anything, but information disclosure is more often than not used in profiling a person or business. The more information you have, the better the odds you will succeed in your planned attack.
CVE ID 2008-3476 says, “Microsoft Internet Explorer 5.01 SP4 and 6 does not properly handle errors associated with access to uninitialized memory, which allows remote attackers to execute arbitrary code via a crafted HTML document.” This is what Microsoft called an HTML Objects Memory Corruption Vulnerability, and again, assigned it a Level 3.
These are examples of things, which if listed as moderate or even important on their own, could be skipped in the patching process. While they are a part of the critical patch MS08-058 this month, and likely to see installation, the assumption that someone could not exploit them is a serious gamble for a business or user to take.
The best practice is to patch everything if it applies to you, or your business. The bookie-like system offered in the Exploitability Index gives odds you should never bet on, because if criminals see a weakness, and a chance to profit from it, they will exploit it. Assuming that an OS patch is ok to skip or put off, because it was assigned one level over another, is a bad bet all around.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story