Feeds

MS roll out exploit prediction with Patch Tuesday

Here is the attack forecast

Internet Security Threat Report 2014

Microsoft plans to debut impact predictions related to vulnerabilities with the next edition of its Patch Tuesday update cycle.

The 11 bulletins due to arrive later on Tuesday (14 October) will contain "weather predictions" detailing factors such as whether exploit code is likely to appear, alongside the established rating system on the severity of vulnerabilities. Microsoft hopes its Exploitability Index will help organisations to prioritise patching.

Microsoft, unlike Cisco and organisations like US Cert, won't be rating vulnerabilities under Common Vulnerability Scoring System. This is because it reckons (with some justification) that descriptions such as 'critical' or 'moderate' are more meaningful to the majority of people than ratings of between one and ten covered by CVSS.

Information on whether or not an exploit is available and assessments on the severity of threats are already available through the SANS Institute's well regarded monthly summary of Microsoft's bulletin. The Exploitability Index, announced two months ago, adds a predictive (crystal ball gazing) element to the mix.

Microsoft is also due to begin rolling out a program to give security vendors advance details on upcoming patches. The Microsoft Active Protections Program (MAPP), also announced at the Black Hat conference back in August, will operate under non-disclosure agreements to give anti-virus suppliers and the like the chance to prepare for patches and the attacks against unpatched Windows PCs that sometimes follow. Previously, the likes of Symantec and Sophos had no more idea what was due to arrive on Patch Tuesday than the great unwashed.

Tuesday's updates are due to cover flaws involving various components of Windows and Office, as well as an update from Microsoft Host Integration Server software. Four of these updates earn the dreaded rating of critical. ®

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.