Microsoft Exploit Predictions Right 40% of Time 182
CWmike writes "Microsoft today called its first month of predicting whether hackers will create exploit code for its bugs a success — even though the company got its forecast right just 40% of the time for October. 'I think we did really well,' said Mike Reavey, group manager at the Microsoft Security Research Center (MSRC), when asked for a postmortem evaluation of the first cycle of the team's Exploitability Index. 'Four of the [nine] issues that we said where consistent exploit code was likely did have exploit code appear over the first two weeks. And another key was that in no case did we rate something too low.' Microsoft's Exploitability Index was introduced last month."
Re:This is why Microsoft software sucks (Score:5, Interesting)
40% accuracy in predicting with no false negatives? There are plenty of distaster agencies around the world who would be incredibly pleased with that kind of accuracy
Re:Congratulations? (Score:3, Interesting)
Indeed. I swear, I called it: it's easier to predict the holes when you release them yourself [today.com].
After what was expected to be an unusually quiet Patch Tuesday, Microsoft has released eight patches for applications with an insufficient number of security holes. "Our market is the enterprise," said Microsoft security marketer Jonathan Ness. "Information technology professionals know that Windows is the greatest IT job creation scheme in history. Without Patch Tuesday, there's no reason for the experienced IT worker to spend his time hiding out in the server room watching progress bars and getting over his hangover. Also, you can't tell people a virus ate their mail, you actually have to get it back for them."
Re:Congratulations? (Score:2, Interesting)
That's great, guys, but don't you think being proud that you were right about your code being exploited is... backwards?
Well, they're not proud of making exploitable code (if they were, there would have been a giant endless party at Microsoft for the last 20 years), they're proud of predicting when/how fast their code will be exploited.
That's like being proud you correctly predicted you would get stabbed while walking through a ghetto wearing gang colors.
No, it's like correctly predicting that you'll get stabbed 17 minutes after entering the ghetto, by 6 gang members dressed in red.
Re:Still not getting it. (Score:3, Interesting)
You mean, like Apple's Leopard release? Or Apple's iPhone 3G release? Or Apple's mobileme release?
I fail to see how Microsoft has a reputation of releasing 'bananaware' whereas Apple doesn't. I don't recall hearing about major, crippling bugs when Office 2007 came out (one of their biggest apps), and regardless of what you hear on Slashdot, Vista was actually a solid enough release and most of the issues were due to bad drivers that manufacturers didn't bother updating a year beforehand when they had betas and release candidates. (Not saying that neither had bugs, they did, but they were in no way 'beta' software.)
the new bar (Score:2, Interesting)
Microsoft Security Research Centre is a success as a disaster agency? A bit harsh, but I suppose so...
40% with only two possible outcomes (Score:2, Interesting)
They tried to predict if a hole will be exploited or not. Those are two outcomes. If you were to guess you would end up with a 50% chance of guessing right.
And they were only 40% right and 60% wrong?
Thanks, Microsoft! (Score:3, Interesting)
No one seems to be looking at this from the opposite angle.
If I'm writing malware that's going to need to exploit Windows, this gives me an easy chart of which exploit I should pick -- the ones with the lowest patch priority, of course.