14 DAY TRIAL // Not all Microsoft technologies should be treated equally when it comes down to assessing the exploitability risk of vulnerabilities affecting them.
This is precisely what the Redmond company focused on when introducing an overhaul to the Exploitability Index, namely a division between older product and the latest technologies available.
Announced earlier this month, the revamping is designed to illustrate the security evolution of Microsoft’s newest releases compared to their predecessors.
The software giant makes a point out of bulletproofing new products with additional security mitigations, and the evolved Exploitability Index will reflect just that.
“Microsoft is expanding its Exploitability Index to help customers on newer platforms better assess risk,” a Microsoft spokesperson told Softpedia.
“The company will continue to offer an aggregate exploitability rating for each vulnerability across all previous product versions, but will also specifically break out Exploitability Index information for Microsoft’s latest products.
“This new system demonstrates the value of the security protections and mitigations available by default for new products. Check out the MSRC blog post for more details on this change, which helps customers more easily prioritize security updates.”
The May 2011 security bulletin releases are illustrative of the changes to the Exploitability Index.
Customers can visit the Microsoft Security Bulletin Summary for May 2011 webpage in order to get an idea of how the software giant now assesses the possibility of exploits for vulnerabilities resolved on Patch Tuesday.
They will be able to see that all the vulnerabilities have two separate mentions, the Code Execution Exploitability Assessment for Latest Software Release and Code Execution Exploitability Assessment for Older Software Releases.
MS11-036 for example does not impact Office 2010, as such customers running the latest version of the productivity suite are not affected.
However, MS11-035 is used to repair vulnerabilities in Windows Server 2008 R2 SP1, a situation reflected in the Exploitability Index.