Tuesday, June 14, 2011

Assessing the Risk of the Microsoft's June Security Updates

Terminology - Microsoft releases "bulletins" which contain fixes or patches for individual vulnerabilities. It isn't uncommon to see people call a single bulletin (MS11-050) a "patch", but it is important to remember that, most of the time, a single bulletin addresses many vulnerabilities.


This month, the number of bulletins rated critical was nine, which is the exact number outlined in the advanced notification.

However, the exploitability index number was divided into two separate numbers recently - 
  • Exploitability Index for Latest Software Release (Windows 7 & 2008 R2)
  • Exploitability Index for Older Software Releases (Windows XP)

According to today’s bulletin summary, CVE-2011-1262 (part of MS11-050) has an exploitability index of “2” for new operating systems and an exploitability index of “1” for older operation systems. New operating systems have more mitigation layers (Default DEP, ASLR, UAC, etc) and therefore are less vulnerable than older operating systems. The summary table list details for each vulnerability in each bulletin.

While the SRD table is just combining all the individual vulnerability data and listing the “max” severity rating and "max" exploitability rating (in this case, the lowest – since lower is more exploitable) for each bulletin as a whole.

Given all of this, I would say the numbers in the SRD table seems to be the safest route when assessing the risk.

No comments:

Post a Comment