Microsoft unveiled its Exploitability Index in October in order to help users prioritize the deployment of security patches. In the Exploitability Index, Microsoft rates the likelihood of exploit code being written to attack their software on a scale of 1-3.
A rating of 1 indicates that consistent exploit code is likely. A rating of 2 predicts that inconsistent exploit code is likely. The lowest rating, 3, is for risks where functioning exploit code is unlikely.
According to a post by Mike Reavey, after one month of review Microsoft feels that it hit the nail on the head. Microsoft issued 12 Security Bulletins in October and addressed 21 vulnerabilities. So far, no functioning exploit code has appeared to attack the four vulnerabilities they rated lowest. According to Reavey, "our main measure for success is to make sure we avoid rating something in the index 'lower' than it actually should be once under full public view."