"On Oct. 14, 2008, Microsoft added another piece of information to the bulletin summary to better help customers with their risk assessment process: the Exploitability Index. This section is a brief overview to explain how customers can integrate the Exploitability Index with the Severity Rating system into their own risk assessment process.

The Exploitability Index makes an assessment on the likelihood that code will be released that exploits the vulnerability or vulnerabilities addressed in a security bulletin within the first 30 days after that bulletin’s release. While the bulletin Severity Ratings assumes that all vulnerabilities discussed can be successfully exploited all the time, the Exploitability Index focuses on the potential likelihood that a successful exploitation of the vulnerabilities in the bulletin could occur based on currently known exploitation techniques.

In order to make this assessment, the Exploitability Index uses a number system along with a short description to denote likelihood of exploitation:"

Read more: http://technet.microsoft.com/en-us/library/dd145265.aspx