navigation bar left navigation bar right

Secunia CSI7
navigation left tab About us navigation right tab
navigation left tab Careers navigation right tab
navigation left tab Memberships navigation right tab
navigation left tab Newsroom navigation right tab
navigation left tab Contact us navigation right tab

Microsoft Raises Exploitability Index Rating Based On Secunia Research Analysis

Get this blog as an RSS Feed
16:17 CET on the 23rd September 2010
Entry written by Thomas Kristensen.

On Tuesday 14th September, Microsoft released 9 security bulletins to address various vulnerabilities in their products. One of these bulletins, MS10-063, discussed a vulnerability in the Uniscribe Unicode Scripts Processor component, usp10.dll, which is a collection of APIs enabling formatting of complex scripts. The accompanying Exploitability Index rating was set to 2, meaning that it was likely to see only inconsistent exploit code within the next 30 days.

Whenever Microsoft and other major vendors issue patches, reverse engineers in the Secunia Research team is tasked with analysing the patches to determine details about the fixed vulnerability (e.g. core problem, attack vectors, requirements), assess the likelihood of reliable exploitation, determine workarounds, and conclude if the patch properly fixes the vulnerability.

During analysis of MS10-063 is was discovered that Microsoft had fixed two very similar array-indexing vulnerabilities in different functions. Upon further analysis, it was concluded that at least one of the fixed vulnerabilities could be exploited in a reliable manner and not an unreliable (inconsistent) manner as evaluated by Microsoft.

On Friday 17th September, Secunia Research contacted Microsoft and provided full details on the performed analysis to work with the vendor on raising the exploitability index rating to 1 (consistent exploit code likely) in order to ensure that customers would properly prioritise the update.

On Tuesday 21st September, Secunia updated the Secunia advisory covering MS10-063, SA41396, with full details of the vulnerability and likelihood of exploitation in the "Extended Description" section available to customers on Secunia's EVM, VIF, and BA solutions. Later that day, Secunia also updated the public "Description" section of the advisory with additional details.

On Wednesday 22nd September at 2pm PST, Microsoft updated the exploitability index rating from 2 to 1 for MS10-063 in the "Microsoft Security Bulletin Summary for September 2010", acknowledging Secunia's assistence ("Microsoft thanks the following for working with us to help protect customers: Carsten H. Eiram of Secunia for reporting information that led to an Exploitability Index change for CVE-2010-2738 in MS10-063").

This is just one of many examples of the high level of competencies in the Secunia Research team and the amount of work and in-depth analysis that goes into ensuring that Secunia can offer the most trustworthy and reliable Vulnerability Intelligence of the highest quality.

Stay Secure,

Thomas Kristensen

Discuss this blog entry
A new thread in our forum is created. Activate the thread by commenting/discussing below.
Subject: Microsoft Raises Exploitability Index Rating Based On Secunia Research Analysis
User Message


RE: Microsoft Raises Exploitability Index Rating Based On Secunia Research Analysis
This reply has been minimised due to a negative Relevancy Score.


You must be logged in to post a comment.

 Products Solutions Customers Partner Resources Company
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
Technology Partners
 About us

Secunia is a member of FIRST Secunia is a member of EDUcause Secunia is a member of The Open Group Secunia is a member of FS-ISAC
Secunia © 2002-2015 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer
follow Secunia on Facebook follow Secunia on Twitter follow Secunia on LinkedIn follow Secunia on YouTube follow Secunia Xing follow Secunias RSS feed follow Secunia on Google+