Microsoft Exploitability Index
The Microsoft Exploitability Index helps customers prioritize security update deployment by providing information on the likelihood that a vulnerability addressed in a Microsoft security update will be exploited.
Why Microsoft Developed the Exploitability Index
How the Exploitability Index Works
- The CVE ID associated with the specific vulnerability
- The exploitability assessment for code execution on the latest software release
- The aggregate exploitability assessment for code execution on older software releases
- A description of the potential for denial of service
|Publicly disclosed||Exploited||Latest software release||Older software release(s)||Denial of service|
|No||No||1 - Exploitation More Likely||1 - Exploitation More Likely||Not applicable|
|Exploitability index assessment||Short definition|
|1||Exploitation more likely *|
|2||Exploitation less likely **|
|3||Exploitation unlikely ***|
0 – Exploitation Detected
1 – Exploitation More Likely
2 – Exploitation Less Likely
3 – Exploitation Unlikely
|DoS Exploitability Assessment||Short definition|
|Temporary||Exploitation of this vulnerability may cause the operating system or application to become temporarily unresponsive, until the attack is halted, or to exit unexpectedly but automatically recover. The target returns to the normal level of functionality shortly after the attack is finished.|
|Permanent||Exploitation of this vulnerability may cause the operating system or application to become permanently unresponsive, until it is restarted manually, or to exit unexpectedly without automatically recovering.|
Important Terms and Definitions
The Microsoft Exploitability Index provides additional information to help customers prioritize their deployment of the monthly security updates. Microsoft designed this index to provide customers guidance concerning the likelihood of exploitation, based on each vulnerability addressed by Microsoft security updates.
Customers asked for more information to help them prioritize their deployment of Microsoft security updates each month, specifically requesting details about the likelihood of exploitation for the vulnerabilities addressed in security updates. The Exploitability Index provides guidance about the actual risk of exploitation of a vulnerability at the time of the security update’s release.
- Current exploitation trends, based on telemetry data and awareness of exploitation of a particular type of vulnerability in a particular product,
- The cost and reliability of building a working exploit for the vulnerability, based on a technical analysis of the vulnerability.
The Security Update Severity Rating System assumes that exploitation will be successful. For some vulnerabilities where exploitability is high, this assumption is very likely to be true for a broad set of attackers. For other vulnerabilities where exploitability is low, this assumption may only be true when a dedicated attacker puts a lot of resources into ensuring their attack is successful. Regardless of the Severity or Exploitability Index rating, Microsoft always recommends that customers deploy all applicable and available updates; however, this rating information can assist sophisticated customers in prioritizing their approach to each month's release.
The Exploitability Index does not differentiate between vulnerability types. It focuses on the likelihood of exploitation of each vulnerability within the range of their full impact potential. Thus, any vulnerability, whether it is Remote Code Execution, Tampering or other, could be rated any of the Exploitability Index ratings.
The ability to rate the possible exploitation of vulnerabilities is an evolving science, and new techniques for exploitation in general, or unique techniques specific to a vulnerability, or new trends in detected exploits of particular products may be discovered that could change the Exploitability Index rating. However, the goal of the Exploitability Index is to help customers prioritize those updates for the most current monthly release. Therefore, if there is information that would change an assessment released in the first month of a security release, Microsoft will update the Exploitability Index. If information becomes available in subsequent months, after most customers have made their prioritization decisions, the Exploitability Index will not be updated as it is no longer useful to the customer. When an Exploitability Index rating is corrected in a way that reflects increased risk to customers, the security update revision is incremented at a major version number (for instance, from 1.0 to 2.0). When risk is adjusted downwards, the update revision is incremented at a minor version number (for instance, from 1.0 to 1.1).
The Exploitability Index is separate and not related to other rating systems. However, the MSRC is a contributing member to the Common Vulnerability Scoring System (CVSS), and Microsoft shares its experience and customer feedback in building and releasing the Exploitability Index with the working group in order to help ensure the CVSS is effective and actionable.