Microsoft's exploit predictions are less than half right
Microsoft today called its first month of predicting whether hackers will create exploit code for its bugs a success -- even though the company got its forecast right less than half the time.
"I think we did really well," said Mike Reavey, group manager for the Microsoft Security Research Center (MSRC), when asked for a post-mortem evaluation of the first cycle of the team's Exploitability Index. "Four of the issues that we said where consistent exploit code was likely did have exploit code appear over the first two weeks. And another key was that in no case did we rate something too low."
Last month, Microsoft launched the index , which rates each vulnerability using a three-step system that, in descending order of severity, said researchers or hackers would come up with a consistently working exploit, develop an exploit that worked only some of the time, or fail to craft attack code at all.
The predictions were valid for the following 30 days, or until the next cycle of patches was released.
Of the nine October vulnerabilities marked "Consistent exploit code likely," four did, in fact, end up with exploit code available, said Reavey, for an accuracy rate of 44%. None of the nine tagged "Inconsistent exploit code likely" had seen actual attack code. But Microsoft correctly called the four bugs last month tagged with the label "Functioning exploit code unlikely." As Reavey said, exploit code did not appear for any of the four.
All told, Microsoft correctly predicted eight out of October's 20 vulnerabilities' exploitability, an accuracy rate of 40%. (One of the month's 21 bugs did not receive a rating, as Microsoft said public exploit code was already circulating, making a label moot.)
That accuracy rate was down slightly from what Microsoft claimed during a five-month internal run of the index before it announced the program in August at the Black Hat security conference. According to a presentation Reavey gave at the conference, during that the five months it assigned ratings, Microsoft correctly predicted the exploit code availability of 17 out of 36 bugs, for an accuracy rate of 47%.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
microsoft
Powered by Twitter
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
