I am participating in the next release of CVSSv3 and have recommended the following improvements be considered by the CVSS-SIG as part of their “Call for Subjects” which closes tomorrow (Saturday 16 June 2012):
1. Base Metric
- The client(s) i.e. web browser within “Attack Vector”.
- “Something You Have” schemes, such as Token, S/Key, etc as a reduction of the “Authentication” value.
- Integration with the “Environmental” Metric e.g. does an attack need to crack passwords, be in the proximity of a wireless network, etc.
2. Temporal Metric
- Establish a real-time feed for temporal metrics e.g. is a worm specifically targeting my network range?
- Consideration of fuzzing before the release of the patch or after the release of the workaround.
- Consideration of binary diff after the release of the patch.
3. Environmental Metric
- “Pivoting” to other vulnerable hosts.
- CAPEX to implement the patch and/or workaround with consideration that the CAPEX to implement a patch would be reduced if the release date of the patch is announced and widely known e.g. Microsoft’s “Patch Tuesday” but would increase if the release was unexpected i.e. Microsoft’s “Out of Band” patch.
- The integrity and confidentiality of the automated update technology e.g. what countermeasures are available for http://www.infobytesec.com/down/isr-evilgrade-Readme.txt or https://speakerdeck.com/u/asotirov/p/analyzing-the-md5-collision-in-flame.
- Technical level of knowledge required for Attack Complexity