Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/13/2009
09:42 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Futility Of Microsoft's Exploitability Index

As far as Microsoft patch Tuesdays are concerned, 2009 treads in like a lamb, with the software maker issuing only one security bulletin in its MS09-001 January patch rollout. Yet, even as MS09-001 is rated as "critical" for popular versions of its operating system -- the company's Exploitability Index hails: "Functioning exploit code unlikely." What's with the mixed signals?

As far as Microsoft patch Tuesdays are concerned, 2009 treads in like a lamb, with the software maker issuing only one security bulletin in its MS09-001 January patch rollout. Yet, even as MS09-001 is rated as "critical" for popular versions of its operating system -- the company's Exploitability Index hails: "Functioning exploit code unlikely." What's with the mixed signals?As far as I can tell, MS09-001 is the poster child as to why why Microsoft's Exploitability Index assessment is a bad idea.

According to Thomas Claburn's story on the patches today, Microsoft rated MS09-001 as "critical," for Microsoft Windows 2000, Windows XP, and Windows Server 2003, and "moderate" for Windows Vista, and Windows Server 2008.

OK. That's clear enough.

For background, today's update resolves a number of vulnerabilities in Microsoft Server Message Block (SMB) Protocol. These vulnerabilities could allow remote code execution on at-risk Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, which is security-geek for saying you're owned, and an attacker could pretty much install whatever snoop-ware they wish on your system, or even create administration accounts and throw a party from your IP address.

Yet, even with the "critical" risk rating, Microsoft Exploitability Index designates the vulnerability with its lowest rating, "Functioning exploit code unlikely."

Holy Mixed Signals, Batman!

So, should admins patch or not? We have a critical vulnerability with an unlikely potential of attack, especially automated attacks. Such conflicting information doesn't make it easy for security managers to argue with management for the resources necessary to test and issue the patches right away. And why should they patch right away, considering it seems it's a low risk that the bad guys will be able to attack anytime soon?

It seems two vulnerability experts also were initially confused by the convoluted message coming from Redmond. Here's what Andrew Storms, director of security operations at nCircle Network Security, told Claburn today:

"That's today's head-scratcher," said Storms. "It's unauthenticated, it's from the networks, and it's SMB. So it should be considered critical. The question is: Why is functional exploit code unlikely?" Storms added that exploit code related to this issue was circulated on a security mailing list last September.

And here's what Eric Schultze, CTO of Shavlik Technologies, had to say:

"MS09-001 is a super-critical patch to install right away," he said in an e-mailed statement. "This vulnerability is similar to what prompted the Blaster and Sasser worms a few years ago. We expect to see a worm released for this in the very near future."

My advice? Listen to Storms and Schultze as well as Microsoft's "critical" vulnerability rating -- and ignore Microsoft's baffling Exploitability Index in your risk decisions.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12777
PUBLISHED: 2020-08-10
A function in Combodo iTop contains a vulnerability of Broken Access Control, which allows unauthorized attacker to inject command and disclose system information.
CVE-2020-12778
PUBLISHED: 2020-08-10
Combodo iTop does not validate inputted parameters, attackers can inject malicious commands and launch XSS attack.
CVE-2020-12779
PUBLISHED: 2020-08-10
Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploading file with malicious script.
CVE-2020-12780
PUBLISHED: 2020-08-10
A security misconfiguration exists in Combodo iTop, which can expose sensitive information.
CVE-2020-12781
PUBLISHED: 2020-08-10
Combodo iTop contains a cross-site request forgery (CSRF) vulnerability, attackers can execute specific commands via malicious site request forgery.