Microsoft Rates Patched Flaws by Exploitability

Microsoft’s latest monthly Patch Tuesday roundup of fixes came with a little something extra today — the company’s first rankings of how likely each vulnerability is to be exploited by an attacker.

The update thus marks not just a large patch count — with 20 vulnerabilities spread among 11 advisories, four of which are considered “critical” — but it’s also the debut of the Exploitability Index from Microsoft, which assigns a numerical score to each vulnerability. The highest score for the Exploitability Index is 1, which is assigned to vulnerabilities that can be consistently exploited with exploit code that already exists or is likely to exist soon.

Among the vulnerabilities listed in today’s update, an issue with Excel that could allow for remote code execution rated a 1. According to Microsoft’s advisory, an attacker who successfully exploited these vulnerabilities could take complete control of an affected system.

Microsoft has also issued a pair of Exploit 1 advisories for its Internet Explorer browser. In its advisory, the company said that the vulnerabilities are triggered by a user visiting a specially crafted Web page that could then lead to remote code execution or unintended information disclosure.

Internet Explorer also received two additional advisories from Microsoft, one rated a level 2 and the other a level 3 in terms of exploitability. A level 2 on the Exploit Index signifies the possibility of an inconsistent exploit code that could be produced and which may work some of the time. A rating of 3 identifies vulnerabilities for which Microsoft believes exploit code will be released within 30 days.

The October Patch haul includes two additional level 1 Exploitability advisories — one for the Windows Kernel, which could lead to a privileged escalation attack. The other is for a vulnerability in the Microsoft Host Integration Server Remote Procedure Call (RPC) service. According to Microsoft’s advisory, the vulnerability could allow remote code execution if an attacker sent a specially crafted RPC request to an affected system.

Microsoft first announced the Exploitability Index initiative at the Black Hat Las Vegas conference in August.

News Around the Web