Microsoft reduces exploitability by being ‘open’

From the ‘being open is good‘ files:

Microsoft today is releasing a pair of new security efforts that are all about being more open when it comes to security.
Project Quant is a new open community effort that is tasked with developing an update management cost model while the Microsoft Office Visualization Tool (OffVis) are about ensuring  you don’t get Rick Rolled (i.e hit by a an office borne virus).

Both of those are good new ideas though the biggest thing that Microsoft has done in recent years to improve exploitabilty in my opinion has been to actually define exploitability.

A year ago, Microsoft rolled out its Microsoft Exploitability Index and the Microsoft Active Protections
Program (MAPP) as efforts to provide new visibility into security
vulnerabilities that affect Microsoft products.

What that has meant to me, is that when I write about a particular Microsoft vulnerability, I’ve got an official Microsoft metric on how likely it is that the issue could be exploitable. This is a very valuable thing, since there are a seemingly endless number of bugs in all software – not all of them lead directly to immediately exploitable software.

News Around the Web