Secunia CSI7
About us
Careers
Memberships
Newsroom
Contact us
Blog
News
Articles

Microsoft Raises Exploitability Index Rating Based On Secunia Research Analysis

Get this blog as an RSS Feed
16:17 CET on the 23rd September 2010
Entry written by Thomas Kristensen.

On Tuesday 14th September, Microsoft released 9 security bulletins to address various vulnerabilities in their products. One of these bulletins, MS10-063, discussed a vulnerability in the Uniscribe Unicode Scripts Processor component, usp10.dll, which is a collection of APIs enabling formatting of complex scripts. The accompanying Exploitability Index rating was set to 2, meaning that it was likely to see only inconsistent exploit code within the next 30 days.

Whenever Microsoft and other major vendors issue patches, reverse engineers in the Secunia Research team is tasked with analysing the patches to determine details about the fixed vulnerability (e.g. core problem, attack vectors, requirements), assess the likelihood of reliable exploitation, determine workarounds, and conclude if the patch properly fixes the vulnerability.

During analysis of MS10-063 is was discovered that Microsoft had fixed two very similar array-indexing vulnerabilities in different functions. Upon further analysis, it was concluded that at least one of the fixed vulnerabilities could be exploited in a reliable manner and not an unreliable (inconsistent) manner as evaluated by Microsoft.

On Friday 17th September, Secunia Research contacted Microsoft and provided full details on the performed analysis to work with the vendor on raising the exploitability index rating to 1 (consistent exploit code likely) in order to ensure that customers would properly prioritise the update.

On Tuesday 21st September, Secunia updated the Secunia advisory covering MS10-063, SA41396, with full details of the vulnerability and likelihood of exploitation in the "Extended Description" section available to customers on Secunia's EVM, VIF, and BA solutions. Later that day, Secunia also updated the public "Description" section of the advisory with additional details.

On Wednesday 22nd September at 2pm PST, Microsoft updated the exploitability index rating from 2 to 1 for MS10-063 in the "Microsoft Security Bulletin Summary for September 2010", acknowledging Secunia's assistence ("Microsoft thanks the following for working with us to help protect customers: Carsten H. Eiram of Secunia for reporting information that led to an Exploitability Index change for CVE-2010-2738 in MS10-063").

This is just one of many examples of the high level of competencies in the Secunia Research team and the amount of work and in-depth analysis that goes into ensuring that Secunia can offer the most trustworthy and reliable Vulnerability Intelligence of the highest quality.

Stay Secure,

Thomas Kristensen
CSO

Discuss this blog entry
A new thread in our forum is created. Activate the thread by commenting/discussing below.
Subject: Microsoft Raises Exploitability Index Rating Based On Secunia Research Analysis
 
User Message
[+]

Seajay9447

RE: Microsoft Raises Exploitability Index Rating Based On Secunia Research Analysis
This reply has been minimised due to a negative Relevancy Score.

-

You must be logged in to post a comment.



 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability