HomeSecurity

Microsoft Rates Patched Flaws by Exploitability

By Sean Michael Kerner

Microsoft’s latest monthly Patch Tuesday roundup of fixes came with a little something extra today — the company’s first rankings of how likely each vulnerability is to be exploited by an attacker.

The update thus marks not just a large patch count — with 20 vulnerabilities spread among 11 advisories, four of which are considered “critical” — but it’s also the debut of the Exploitability Index from Microsoft, which assigns a numerical score to each vulnerability. The highest score for the Exploitability Index is 1, which is assigned to vulnerabilities that can be consistently exploited with exploit code that already exists or is likely to exist soon.

Among the vulnerabilities listed in today’s update, an issue with Excel that could allow for remote code execution rated a 1. According to Microsoft’s advisory, an attacker who successfully exploited these vulnerabilities could take complete control of an affected system.

Microsoft has also issued a pair of Exploit 1 advisories for its Internet Explorer browser. In its advisory, the company said that the vulnerabilities are triggered by a user visiting a specially crafted Web page that could then lead to remote code execution or unintended information disclosure.

Internet Explorer also received two additional advisories from Microsoft, one rated a level 2 and the other a level 3 in terms of exploitability. A level 2 on the Exploit Index signifies the possibility of an inconsistent exploit code that could be produced and which may work some of the time. A rating of 3 identifies vulnerabilities for which Microsoft believes exploit code will be released within 30 days.

The October Patch haul includes two additional level 1 Exploitability advisories — one for the Windows Kernel, which could lead to a privileged escalation attack. The other is for a vulnerability in the Microsoft Host Integration Server Remote Procedure Call (RPC) service. According to Microsoft’s advisory, the vulnerability could allow remote code execution if an attacker sent a specially crafted RPC request to an affected system.

Microsoft first announced the Exploitability Index initiative at the Black Hat Las Vegas conference in August.

Sean Michael Kerner
Previous articleIntel: Quarterly Profit Up But Uncertainty Ahead
Next articleMozilla Firefox 3.1 Beta 1 shows some neat features

Similar Posts

News Around the Web

InternetNews is a source of industry news and intelligence for IT professionals from all branches of the technology world. We aim to help these professionals grow their knowledge base and authority in their field with the top news and trends in Software, IT Management, Networking & Communications, and Small Business.

Our Brands

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.