"On Oct. 14, 2008, Microsoft added another piece of
information to the bulletin summary to better help customers with their risk
assessment process: the Exploitability Index. This section is a brief overview
to explain how customers can integrate the Exploitability Index with the
Severity Rating system into their own risk assessment process.
The Exploitability Index makes an assessment on the likelihood
that code will be released that exploits the vulnerability or vulnerabilities
addressed in a security bulletin within the first 30 days after that bulletin’s
release. While the bulletin Severity Ratings assumes that all vulnerabilities
discussed can be successfully exploited all the time, the Exploitability Index
focuses on the potential likelihood that a successful exploitation of the
vulnerabilities in the bulletin could occur based on currently known
exploitation techniques.
In order to make this assessment, the Exploitability Index
uses a number system along with a short description to denote likelihood of
exploitation:"
Read more: http://technet.microsoft.com/en-us/library/dd145265.aspx
