Skip to main content

Patching and the Uncertainties of Exploitability

February 11, 2011

In late December, the latest IIS FTP service vulnerability was made public by Matthew Bergin.  This event is significant because it’s been a while since the last time a Windows Service had an unauthenticated vulnerability.  While the FTP server isn’t enabled by default, the service is quite prolific in web hosting.  For most researchers in the community it was a little disheartening to see that the vulnerability resulted in a Denial of Service instead of Remote Code Execution.  Microsoft’s exact words were “Because of the nature of the overrun the probable result will only be a denial of service and not code execution”

Most large organizations have a difficult time patching vulnerabilities, because patching and releasing fixes to vulnerabilities can be a costly process.  Compounding this conundrum is the fact that many vulnerabilities are released without a working exploit.  Businesses asked Microsoft for some indicator of exploitability and Microsoft responded with the Exploitability Index.  The idea behind this is a value ranging from one to three gives these organizations a metric to determine which patches to apply first.

Unfortunately Microsoft lacks both time and resources to accurately measure the exploitability of each vulnerability for the patch release.  Also, exploitation is more of an art form than an exact science, thus providing quantitative data on the exploitation likelihood is a perplexing proposition.  In order to truly measure the exploitability it requires researchers well versed in exploitation techniques and these resources are difficult to recruit.  Therefore, all though our opinion may differ from Microsoft’s original stance on the exploitability of this particular vulnerability, there is no doubt in our minds that Microsoft conducted all due diligence when arriving at their conclusion.

When we first saw the report, we thought it was a narrowing window of time before someone came out with an exploit.  However, when January 7thcame we decided to develop empirical evidence for our gut feeling.  When January 11throlled around, we provided our empirical evidence to people following us on twitter (@nudehaberdasher and @hustlelabs), that this vulnerability was indeed exploitable for code execution.

While executives require tactical information to form the best strategies for their individual organizations, providing this information requires a specialized skill honed through time, experience, pouring through assemblies of heap allocation routines and the mind set of an exploit writer.  We were grateful to have the opportunity to share our work, giving our twitter followers a heads up in real time, and are excited to speak regarding the specifics of this vulnerability and exploitation techniques at a conference in the near future.

Related Blogs

March 15, 2018


Pass-the-hash (PtH) is an all too common form of credentials attack, especially since the advent of a tool called Mimikatz. Using PtH to extract from ...

See Details

January 17, 2018

The Aftermath of Meltdown and Spectre: Now What?

The recent unveiling of the widely reported Meltdown and Spectre attacks, which exploit critical vulnerabilities in modern processors, sent many withi...

See Details

August 25, 2017

A Day in the Life of Optiv Cyber Security Superheroes: Pete Arzamendi

Whether it’s cyber security or his passion for Jiu-Jitsu, Pete Arzamendi enjoys the art of combat and the constant search for attacks throughout the t...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.