Microsoft’s Exploitability Index today undergone some changes.
“The Exploitability Index assesses the likelihood of functional exploit code being developed for a particular vulnerability. By providing the index information month over month, we’re helping customers prioritize the security updates that matter to them. The Exploitability Index will continue to provide an aggregate exploitability rating across all affected products, and the improvements made to Exploitability Index will now offer additional information to help customers prioritize bulletins, specifically for the most recent platforms, e.g. Windows 7 Service Pack 1 and Office 2010,” Microsoft informs.
“For example, the Exploitability Index for CVE-2011-0097, a security issue addressed by MS11-021 in the April 2011 release, originally rated a “1 – Consistent Exploit Code Likely”. However, under the previous system, the Exploitability Index didn’t specifically illustrate that customers using Excel 2010 were at less risk; with Excel 2010, CVE-2010-0097 would rate a “2 – Inconsistent Exploit Code Likely”. In fact, our research has shown that 37% of the vulnerabilities addressed since July 2010 have had similar results; the latest platform was either entirely unaffected, or significantly more difficult to exploit,” added MSRC.
You can read, Maarten Van Horenbeeck, more in-depth blog post around the background of Exploitability Index and the value of these improvements: “Exploitability Index Improvements Now Offer Additional Guidance“.