Microsoft's attempt to predict whether hackers will create reliable exploit code for its bugs are right only 27 percent of the time, admits the company.
Computerworld reports that the "Exploitability Index" was intended to give customers more information to decide which vulnerabilities should be fixed first. But it turns out that Microsoft correctly predicted exploits only a little more than one out of every four times. Andrew Storms, director of security operations at nCircle Network Security, points out:
That's not as good as a coin toss. So what's the point?
Still, Microsoft defends its predictions:
The higher false positive rate for Critical security bulletins can be attributed to the conservative approach used during the assessment process to ensure the highest degree of customer protection for the most severe class of issues.