Login

Please login to Techworld.com

Forgot password?
Need your new account confirmation email resent?
Forgot email?

Not a member yet?

Register for a Techworld Account and enjoy unlimited access to our extensive white paper library and exclusive Enterprise multi-user software trials. Account members can also comment on articles and access best practices guides.

Security

Top How-Tos / Advice articles

Microsoft's calls on bug exploits 'worse than coin toss'

Predictions are right just 27% of the time

By Gregg Keizer | Computerworld US | Published: 07:10, 04 November 2009

Microsoft' is not too hot at predicting which of its bugs would be exploited by hackers. According to the company's own figures, its predictions are right only about a quarter of the time in the first half of 2009.

"That's not as good as a coin toss," said Andrew Storms, director of security operations at nCircle Network Security. "So what's the point?"

In October 2008, Microsoft added an "Exploitability Index" to the security bulletins it issues each month. The index rates bugs on a scale from 1 to 3, with 1 indicating that consistently-successful exploit code was likely in the next 30 days, and 3 meaning that working exploit code was unlikely during that same period.

The idea was to give customers more information to decide which vulnerabilities should be patched first. Before the introduction of the index, Microsoft only offered impact ratings - "critical," "important," "moderate" and "low" - as an aid for users puzzled by which flaws should be fixed immediately and which could be set aside for the moment.

But in the first half of this year, Microsoft correctly predicted exploits just slightly more than one out of every four times.

"Forty-one vulnerabilities were assigned an Exploitability Index rating of 1, meaning that they were considered the most likely to be exploited within 30 days of the associated security bulletin's release," Microsoft stated in its bi-annual security intelligence report , which it published Monday. "Of these, 11 were, in fact, exploited within 30 days."That means Microsoft got it right about 27 percent of the time.

Microsoft also tallied its predictions by security bulletins - in many cases a single bulletin included patches for multiple vulnerabilities - to come up with a better batting average. "Sixteen bulletins received a severity rating of Critical," it said in its report. "Of these, 11 were assigned an Exploitability Index rating of 1. Five of these 11 bulletins addressed vulnerabilities that were publicly exploited within 30 days, for an aggregate false positive rate of 55 percent."

The company defended its poor showing - even on a bulletin-by-bulletin level it accurately predicted exploitability only 45 percent of the time - by saying it was playing it safe. "The higher false positive rate for Critical security bulletins can be attributed to the conservative approach used during the assessment process to ensure the highest degree of customer protection for the most severe class of issues," said Microsoft.

"There's some validity to that," agreed Storms. "They're going to err on the side of caution, if only to prevent people saying 'I told you so' if an exploit appears later."

[ 1 ] [ 2 ] continued on page 2 »

Send to a friend

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.