Every second Tuesday, MSRC releases security patches for Microsoft products that have fixed vulnerabilities. The best is to have no patches for patch Tuesdays, and many administrators can take a break from installing patches across their server farms and enterprise desktops. It will be a long road ahead before Microsoft can get to zero security bugs for all products.
Before reaching the elusive zero-bug milestone, Microsoft continues to innovate on security bug release process to better inform the public of those vulnerabilities so that administrators can make informed decisions on their patching schedule.
From October 2008 patch Tuesday, Exploitability Index will be associated with each bulletin. Exploitability index is a number from 1 to 3 to indicating exploitability, with 1 being the most serious in terms of exploitability.
|Exploitability Index Assessment||Short Definition|
|1||Consistent exploit code likely|
|2||Inconsistent exploit code likely|
|3||Functioning exploit code unlikely|
Here is another data point to measure risk and decide on priority of patching for any given bulletins.