As noted last week, I find Microsoft’s severity ratings a bit confusing; but fortunately they also provide an exploitability index that tells us a bit more about how likely Microsoft thinks a particular vulnerability is to be exploited. So let’s have a look at how they rate this months updates:
The rating system
In Microsoft’s own words, the Exploitability Index describes how likely it is that a particular bug will be exploited:
This index provides customers with guidance on the likelihood of functioning exploit code being developed for vulnerabilities addressed by Microsoft security updates within the first thirty days of that update’s release.
While that’s very nice, it seems to me that they need to think more like their customers; for the average company it’s not very interesting to know whether or not a bug can actually be exploited. So keep in mind that the information Microsoft provides might not bear any relation to what you’ll see in terms of actual worm outbreaks. Seriously, who’d spend their time writing a virus that can only infect Visio files?
MS09-02: Internet Explorer
This one makes sense to me. Internet Explorer is a high profile target, and if it’s also easy to create exploit code this will be the #1 target for every malware author out there.
This one looks pretty obvious at first sight too; but Microsoft has been wrong about the “inconsistent exploit” part before, and if anybody manages to create a reliable exploit for this it’s a spammers dream. The typical Exchange server will be full of working e-mail addresses, complete with names of the people they belong to. This will make spamruns more effective by reducing the amount of bounces and personalizing messages.
Furthermore, these same Exchange servers are generally trusted sources of e-mail, complete with working SPF records, reverse DNS entries and the works. So using these to send spam might be an option as well at a later stage. Since many businesses use Exchange as their e-mail platform, and the address books on these servers will contain mostly other busines addresses, a successful worm might spread incredibly fast.
MS09-04: SQL Server
Here the bulletin might just be plain wrong; this issue has been acknowledged by Microsoft since December 22, and there have been no large outbreaks of malware based on this vulnerability yet.
But keep in mind that technically this is 100% correct; there will be consistent exploit code within 30 days (in fact, it’s been circulating since more than 30 days before this bulletin was published!), but since you need to be logged on to the SQL server before it will work it’s just not a high-profile target.
I really doubt that there will be any exploit code for this, even within a year. Seriously, who’d want to attack Visio? The installed base is very low, and how do you get anyone to open an infected flowchart?