Microsoft to Offer More Detail on Security Warnings

Microsoft has announced an overhaul of the way it assess and publicizes the risk security problems pose to users of its products. The new technique will give added detail as well as highlighting the benefits of upgrading to the latest version of Windows.

The changes will affect Microsoft's monthly security update, which includes ratings for the potential damage that could be caused by a particular security flaw if the relevant patch is not applied.

As well as giving an overall idea of the range and scale of problems, the ratings are also aimed at business users for whom applying updates across an entire network can be a lengthy process, making it useful to know which fixes represent top priority.

Moving Beyond the Exploitability Index

In 2008 Microsoft extended its ratings system to include a second measure, the exploitability index.

The exploitability index is a number that forecasts how likely it is that hackers will take advantage of a particular flaw in the 30 days after the update is released. It's designed to give a more detailed picture of situations where there's a bug that theoretically exposes users to major damage, but where it would be very difficult for hackers to actually take advantage.

The rating also takes account of any information about whether hackers are known to have already begun working on or sharing a tactic for exploiting a bug.

Dangers Mitigated By Modern Safeguards

The new system makes two refinements to the exploitability index.

The first is that there will now be separate ratings for the latest version of the relevant software and for all older systems. That's designed to reflect new features, particularly in Windows, that make it harder for hackers to take full advantage of a particular flaw.

Microsoft gives the example of Address Space Layout Randomization (ASLR), a feature introduced with Windows Vista that organizes some elements of code stored in a PC's memory in an unpredictable manner.

With ASLR, hackers will find it much harder to cause any harm to a PC. Microsoft notes that at present it often has to give a high exploitability rating for a bug because of the potential damage in Windows XP, even though in Windows 7 ASLR makes an attack unlikely. (Source: networkworld.com)

The second change is that the rating will come with an assessment of the potential for a denial of service attack (DoS).

In a denial of service attack, a hacker is not necessarily able to take control of the machine, but is able to force Windows to stop responding, thus causing disruption for users. Microsoft will now note whether such a potential attack would be temporary or would require the system to be restarted to clear it. (Source: technet.com)