Security auditing vendor nCircle Network announced free priority ratings for patches coming from Microsoft, Adobe, Apple and others, offering IT managers and end users help in deciding what should be fixed first.
Dubbed “Patch Priority Index,” nCircle's scoring system is not meant to replace the security update guidance that a company like Microsoft offers, said Andrew Storms, nCircle's director of security operations. But for patches issued by other firms, such as Adobe and Apple, the index will bring some of Microsoft's benchmark-setting practices to fixes that currently aren't ranked.
“For Adobe, which generally just uses one sentence to describe each vulnerability it's patching, it's all or nothing, either download and install it, or don't,” Storms said, referring to that company's lack of any ranking or rating system to help users prioritize patches.
nCircle's index will start prioritizing Adobe's patches in April, when Adobe delivers its next regularly-scheduled set of security updates for its PDF viewing and editing software, Reader and Acrobat.
“There's a deluge of patches,” said Storms. “This has everything to do with prioritization and resources. But we've always been focused on today,” he said, pointing out that Microsoft's patch advice only concerns the updates issued that month. “They're just using a month's timeframe to tell you what's most important, but [our index] will include the entire 12 trailing months because we recognize that many can't get their patches out within 30 days, or even 60.
“Our idea is that while today is important and the patches should be reviewed, it's often more important that you're caught up,” said Storms.
A trial run of the index done last week, after Microsoft shipped this month's 13 updates, showed 10 patches from 2009. In other words, none of the 35 vulnerabilities patched thus far in 2010 made nCircle's top 10.
That's because one of the factors nCircle uses to calculate the index is the length of time since a patch was issued. “The longer a vulnerability is known, the more likely that exploit code is available,” said Storms. Other criteria used to create a given patch's priority include the class of the underlying vulnerability — bugs that can be used to hijack a system get a higher number than those that cannot, for example — and what nCircle describes as the vulnerability's “skill set.”
“That's how easy our researchers think the vulnerability is to exploit,” said Storms.
nCircle researchers evaluate each vulnerability and patch to determine the class and skill set components to the final index value. “Every single CVE gets a human eye,” said Storms, talking about the Common Vulnerabilities and Exposures identifier each security bug is assigned by the patching vendor.
The free priority index uses a scoring system that will be unfamiliar to people used to Microsoft's four-step rankings of critical through low: “We don't stop at 10,” said Storms. There's no upper range.”
Indeed. nCircle's February top 10 Microsoft patches start with No. 10, which has an index value of 3011, but climbs to 13,868 for No. 1.
“We're not saying ours is the best [patch priority ranking], but we do think it's complementary to what's already out there,” said Storms.
The index can be viewed on nCircle's site.