Microsoft's monthly predictions about whether hackers will create reliable exploit code for its bugs were right only about a quarter of the time in the first half of 2009, the company acknowledged Monday.

"That's not as good as a coin toss," said Andrew Storms, director of security operations at nCircle Network Security. "So what's the point?"

In October 2008, Microsoft added an "Exploitability Index" to the security bulletins it issues each month. The index rates bugs on a scale from 1 to 3, with 1 indicating that consistently-successful exploit code was likely in the next 30 days, and 3 meaning that working exploit code was unlikely during that same period.

The idea was to give customers more information to decide which vulnerabilities should be patched first. Before the introduction of the index, Microsoft only offered impact ratings -- "critical," "important," "moderate" and "low" -- as an aid for users puzzled by which flaws should be fixed immediately and which could be set aside for the moment.

But in the first half of this year, Microsoft correctly predicted exploits just slightly more than one out of every four times.

Full story: Computerworld