Newsletter Archives

• What does “Exploitation less likely” really mean?

  Posted on September 19, 2020 at 16:11 CDT by woody • Comment in the Forums

  All of Microsoft’s separately identified security holes – CVEs in the parlance – are given an “Exploitability Index” level. Microsoft’s official definition looks like this:

  1 – Exploitation More Likely
  Microsoft analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit this vulnerability. Moreover, Microsoft is aware of past instances of this type of vulnerability being exploited. This would make it an attractive target for attackers, and therefore more likely that exploits could be created. As such, customers who have reviewed the security update and determined its applicability within their environment should treat this with a higher priority.

  2 – Exploitation Less Likely
  Microsoft analysis has shown that while exploit code could be created, an attacker would likely have difficulty creating the code, requiring expertise and/or sophisticated timing, and/or varied results when targeting the affected product. Moreover, Microsoft has not recently observed a trend of this type of vulnerability being actively exploited in the wild. This makes it a less attractive target for attackers. That said, customers who reviewed the security update and determined its applicability within their environment should still treat this as a material update. If they are prioritizing against other highly exploitable vulnerabilities, they could rank this lower in their deployment priority.

  3 – Exploitation Unlikely
  Microsoft analysis shows that successfully functioning exploit code is unlikely to be utilized in real attacks. This means that while it might be possible for exploit code to be released that could trigger the vulnerability and cause abnormal behavior, the full impact of exploitation will be more limited. Moreover, Microsoft has not observed instances of this type of vulnerability being actively exploited in the past. Thus, the actual risk of being exploited from this vulnerability is significantly lower. Therefore, customers who have reviewed the security update to determine its applicability within their environment could prioritize this update below other vulnerabilities within a release.

  There’s a series of tweets that explains the situation in a much more accessible manner:

  Jake Williams

  Yesterday, Microsoft announced there’s a remotely exploitable heap overflow in MS DNS on Server 2012R2 and later. Infosec, how are we not talking about this?!

  SwiftOnSecurity

  Microsoft marking exploitability as “less likely” has significantly impacted deployment efforts and awareness. I wish this rating was more detailed. Risk teams get put in crossfire for justifying emergency patches on vague info. Criticality is made irrelevant by this category.

  I recognize Microsoft is in an impossible position here, I just don’t know what I’m supposed to do when a 1-click global network compromise CVE is tagged “exploitation less likely.”

  Like, does “exploitation less likely” mean it’s so complex you think an attacker can’t figure it out, or that individual exploitation attempts are unlikely to succeed? What if they try 1000x a second across 50 Domain Controllers? If so, how do I detect these attempts?

  Katie Moussouris

  It means that within 2 weeks of the patch release, unless exploit code is released, it is less likely that attackers will use this vulnerability versus others that are more easily exploitable. It’s a bet meant to differentiate between highly reliable exploitation vs less likely.

  It’s because customers were using the criticality rating that indicates the max impact *if exploited*, and leaving highly exploitable lower severity issues unpatched for a Very Unwise Amount of Time.

  And that, to me, is the definitive answer. Thx Clément Notin

  Windows Patches/Security Exploitability Index