informa
Commentary

Futility Of Microsoft's Exploitability Index

As far as Microsoft patch Tuesdays are concerned, 2009 treads in like a lamb, with the software maker issuing only one security bulletin in its MS09-001 January patch rollout. Yet, even as MS09-001 is rated as "critical" for popular versions of its operating system -- the company's Exploitability Index hails: "Functioning exploit code unlikely." What's with the mixed signals?
As far as Microsoft patch Tuesdays are concerned, 2009 treads in like a lamb, with the software maker issuing only one security bulletin in its MS09-001 January patch rollout. Yet, even as MS09-001 is rated as "critical" for popular versions of its operating system -- the company's Exploitability Index hails: "Functioning exploit code unlikely." What's with the mixed signals?As far as I can tell, MS09-001 is the poster child as to why why Microsoft's Exploitability Index assessment is a bad idea.

According to Thomas Claburn's story on the patches today, Microsoft rated MS09-001 as "critical," for Microsoft Windows 2000, Windows XP, and Windows Server 2003, and "moderate" for Windows Vista, and Windows Server 2008.

OK. That's clear enough.

For background, today's update resolves a number of vulnerabilities in Microsoft Server Message Block (SMB) Protocol. These vulnerabilities could allow remote code execution on at-risk Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, which is security-geek for saying you're owned, and an attacker could pretty much install whatever snoop-ware they wish on your system, or even create administration accounts and throw a party from your IP address.

Yet, even with the "critical" risk rating, Microsoft Exploitability Index designates the vulnerability with its lowest rating, "Functioning exploit code unlikely."

Holy Mixed Signals, Batman!

So, should admins patch or not? We have a critical vulnerability with an unlikely potential of attack, especially automated attacks. Such conflicting information doesn't make it easy for security managers to argue with management for the resources necessary to test and issue the patches right away. And why should they patch right away, considering it seems it's a low risk that the bad guys will be able to attack anytime soon?

It seems two vulnerability experts also were initially confused by the convoluted message coming from Redmond. Here's what Andrew Storms, director of security operations at nCircle Network Security, told Claburn today:


"That's today's head-scratcher," said Storms. "It's unauthenticated, it's from the networks, and it's SMB. So it should be considered critical. The question is: Why is functional exploit code unlikely?" Storms added that exploit code related to this issue was circulated on a security mailing list last September.

And here's what Eric Schultze, CTO of Shavlik Technologies, had to say:


"MS09-001 is a super-critical patch to install right away," he said in an e-mailed statement. "This vulnerability is similar to what prompted the Blaster and Sasser worms a few years ago. We expect to see a worm released for this in the very near future."

My advice? Listen to Storms and Schultze as well as Microsoft's "critical" vulnerability rating -- and ignore Microsoft's baffling Exploitability Index in your risk decisions.

Recommended Reading: