Microsoft & The Exploitability Index

from PC Magazine

As part of last month’s (October 2008’s) Patch Tuesday releases, Microsoft initiated a new “exploitability index.” The index attempts to describe, for each vulnerability, the likelihood of exploit code being released, and the likelihood that exploit code would be consistently effective.

It’s roughly a month later and Microsoft is now beginning analysis on how well the ratings did. For the 4 vulnerabilities rated “Functioning exploit code unlikely” no exploit code was observed. For the 9 vulnerabilities rated “Inconsistent exploit code likely” no exploit code was observed, and for the 9 rated “Consistent exploit code likely” four have had exploit code released, including one for which the code was public at the time of the patch.

Some are interpreting the numbers to give Microsoft a low accuracy score, but it’s certainly too soon to tell. The big issue in that Microsoft predicted that exploit code was likely for 18 of the vulnerabilities and code was released for only 4. But it’s only been one month. Certainly it’s too soon to tell if their predictions will pan out, but I’m not sure what a reasonable window is. If exploit code comes out for one of the vulnerabilities in 3 months wasn’t it good that they predicted it would be so?

As Microsoft says in the blog, they are erring on the side of exploitability. It’s much better for them to say that exploit code is likely and be wrong than for them to say that exploit code is not likely and be wrong. The point is to give guidance to users for where to put their resources. So it’s better for them not to overstate exploitability, but most important that they don’t understate it.

Perhaps they’ll find a better balance over time. If they do heavily overstate the likelihood of exploits the index will lose value to users and they’ll have to react.

Well, at first it seemed like a good idea, to let the customer know that the company was on the stick, and putting its resources in the places where they will do the most good.

But – by letting the public know about these vulnerabilities, that tends to feed those who live to destroy the efforts of the folks at Redmond. Remember, there is a cottage industry that has grown up just to screw with the output from Microsoft. The article talks about striking a balance, but rather than that, why not do code reviews to avoid these problems.

Back in the early times (the 80s!), Microsoft told us that most of the reason for the numerous DLLs (dynamic link libraries, files that are supposed to be useful in more than one program, allowing smaller code overall) was brevity of code, and coding once, while getting it right. The was the entire point of object oriented programming. Coding  was supposed to be largely blocks of sturdy, well built code, doing one thing, and doing it well, strung together to get the right affect.

At the heart of this effort was the idea that if a certain method of doing a job was found to be ‘bullet proof’, it would be implemented that way forever, using those reusable code blocks.

Where did Microsoft lose its way? Why is it that with each iteration of the operating system, the wheel must be re-invented, and usually not in a way that yields greater reliability.

Now to the meat of the matter. Microsoft has really done nothing radically new since Windows 95 ( and really, other than doing away with DOS loading the Windows code, 95 wasn’t so different from 3.1 ). The same things are done on a computer that have been done for years, so these things, like accessing the internet, should be bullet proof by now.

Yet they are not. Hmm …

-

My neighbour asked if he could use my lawnmower and I told him of course he could, so long as he didn’t take it out of my garden.Eric Morecambe