Security Response Center Updates Procedures

Security updates from the Microsoft Security Response Center (MRSC) will include estimates of how easily the vulnerabilities they fix can be exploited. This change should help customers prioritize the deployment of Microsoft security updates. Customers could also benefit from changes in how the MSRC works with partners, in particular other security software and service vendors.

The MRSC identifies, monitors, and resolves vulnerabilities in Microsoft’s products and may be best known for coordinating the monthly “Patch Tuesday” releases. The changes, scheduled to begin in Oct. 2008, were announced at the Aug. 2008 Black Hat Conference, a conference for security experts that is sponsored by Microsoft, Cisco, Nokia, and other vendors.

Improved Risk Evaluation

The first change, an Exploitability Index, will help customers better evaluate risk from the vulnerabilities patched by Microsoft security updates, therefore helping prioritize deployment of the updates. The Exploitability Index will estimate the likelihood that functioning exploit code will be released in response to a security update. It will supplement (not replace) current information that rates vulnerabilities as critical, important, moderate, or low. Those rankings tell customers how they might be affected if the exploit code were available, while the new index tells them the likelihood of the code appearing. The Exploitability Index, which will become part of the monthly Microsoft security bulletin summary, has three values.