We have received early notification that Microsoft is updating the method of guidance for patching. In 2008 Microsoft published its first Exploit Index to better guide customers on likelihood of getting "Sploited." This new notification reflects a change in the index ratings.
Reviewing the publication by Microsoft, I think they are saying:
1 - Code easy to create and or already created.
As always, the Storm Center Handlers will continue to independently evaluate "Microsoft Patch Tuesday" for "Reboot Wednesday" and provide our guidance :) On their site, if you recall MS08-021 (Vulnerability in GDI Could (Did and does :) Allow Remote Code Execution)? MSFT rates that with an EIA of 1.
Also, in the notification they included early warning of a light patch month that includes a set of Office patches and 2003-2008 R2 set of server patches.
http : // technet.microsoft.com/en-us/security/cc998259.aspx <-- Index Definition
http : // tinyurl.com/6fygchn <-- Original Notice
http : / /www.microsoft.com/technet/security/bulletin/ms11-may.mspx <-- Advanced Notice
--- ISC Handler on Duty
May 6th 2011
8 years ago
I had a different interpretation of the Microsoft changes. It seems to me that the 3-level Exploit Index itself is remaining essentially the same...
...but that they're 1) going to start giving different scores for "new" vs. "older" software, e.g. Windows Vista / Office 2007 and newer mitigates many vulns via wider DEP enrollment, ASLR etc., whereas XP products are more easily exploited.
And 2) I think they're adding a new DoS Exploitability Assessment of Temporary vs. Permanent.
May 8th 2011
8 years ago