Microsoft Security Bulletin Severity Rating System Changes
From: lappy (laptopdancer@hotmail.com)
Date: 11/19/02
- Next message: Juan: "password"
- Previous message: Michael Primeaux: "Debugging an MSGINA.DLL Replacement"
- In reply to: Jerry Bryant [MS]: "Microsoft Security Bulletin Severity Rating System Changes"
- Next in thread: Karl Levinson [x y] mvp: "Re: Microsoft Security Bulletin Severity Rating System Changes"
- Reply: Karl Levinson [x y] mvp: "Re: Microsoft Security Bulletin Severity Rating System Changes"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "lappy" <laptopdancer@hotmail.com> Date: Mon, 18 Nov 2002 16:34:14 -0800
>-----Original Message-----
>The Microsoft Security Response Center is modifying the
severity rating
>scheme for Microsoft issued security bulletins. These
changes will be
>announced on Monday afternoon, November 18, 2002. Please
review the
>following changes.
>
>
>Microsoft Security Response Center Security Bulletin
Severity Rating System
>(Revised, November 2002)
>
>The mission of the Microsoft Security Response Center
(MSRC) is to help our
>customers operate their systems and networks securely. A
major part of this
>mission involves evaluating customers' reports of
suspected vulnerabilities
>in Microsoft products and, when necessary, ensuring that
patches and
>security bulletins that respond to bona fide reports are
produced and
>disseminated.
>The MSRC issues a bulletin for any product vulnerability
that could, in our
>judgment, result in multiple customers' systems being
impacted, no matter
>how unlikely or limited the impact. However, this
conservative approach to
>identifying vulnerabilities that require action on our
part may also have
>made it more difficult for many customers to identify
those vulnerabilities
>that represent especially significant risks.
>All too often, customers fail to install the security
patches that would
>protect their systems. In industry experience -
graphically illustrated by
>the Code Red and Nimda worm viruses - attacks that impact
customers' systems
>rarely result from attackers' exploitation of previously
unknown
>vulnerabilities. Rather, such attacks typically exploit
vulnerabilities for
>which patches have long been available, but never applied.
>Not all vulnerabilities have equal impact on all users.
This document
>presents our security bulletin severity rating system.
This system, which we
>revised in November 2002 based on customer feedback, is
intended to help our
>customers decide which patches they should apply to avoid
impact under their
>particular circumstances, and how rapidly they need to
take action.
>Customers have encouraged us to include this information
in our bulletins to
>help them assess their risk.
>
>The Severity Rating System:
>The severity rating system provides a single rating for
each vulnerability.
>The definitions of the ratings are:
>
>Critical:
>A vulnerability whose exploitation could allow the
propagation of an
>Internet worm such as Code Red or Nimda without user
action
>
>Important:
>A vulnerability whose exploitation could result in
compromise of the
>confidentiality, integrity, or availability of users'
data, or of the
>integrity or availability of processing resources.
>
>Moderate:
>Exploitability is mitigated to a significant degree by
factors such as
>default configuration, auditing, or difficulty of
exploitation
>
>Low:
>A vulnerability whose exploitation is extremely
difficult, or whose impact
>is minimal.
>
>We will, where appropriate, point out cases where the
severity of a
>vulnerability depends on system environment or use. The
ratings will make
>the conservative assumption that the vulnerability is
known and that code or
>scripts that exploit the vulnerability are widely
available.
> Using the System:
>We will apply this severity rating system to each newly-
issued security
>bulletin from this point forward. With regard to patches
that address
>multiple vulnerabilities, we will label each according to
the most serious
>new vulnerability that it eliminates. In addition, the
associated bulletin
>will always provide ratings for each issue described.
>We believe that customers who use an affected product
should almost always
>apply patches that address vulnerabilities
rated "critical" or "important."
>Patches rated "critical" should be applied in an
especially timely manner.
>Customers should read the security bulletin associated
with any
>vulnerability rated "moderate" or "low" to determine
whether the
>vulnerability is likely to affect their particular
configuration. We
>believe that patches rated "low" are less likely to
affect most customers.
>While this severity rating system is intended to provide
a broadly objective
>assessment of each issue, we strongly encourage customers
to evaluate their
>own environments and make decisions about which patches
are required to
>protect their systems.
>This information will be available on Monday, Nov 18,
2002 at
>http://www.microsoft.com/technet/security/policy/rating.as
p
>If you have any questions regarding the patch or its
implementation after
>reading the above listed bulletin you should contact
Product Support
>Services in the United States at 1-866-PCSafety (1-866-
727-2338).
>International customers should contact their local
subsidiary.
>
>
>--
>Regards,
>
>Jerry Bryant - MCSE, MCDBA
>Microsoft IT Communities
>
>Get Secure! www.microsoft.com/security
>
>
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>
>
>.
>thats all very nice jerry and with all due respect
microsofts security should be posted under " joke of the
day" and nowhere else,if microsofts security was looking
after sadam or bin laden they be dead long ago, sorry for
the rant but ms piss me off with there security crap.
- Next message: Juan: "password"
- Previous message: Michael Primeaux: "Debugging an MSGINA.DLL Replacement"
- In reply to: Jerry Bryant [MS]: "Microsoft Security Bulletin Severity Rating System Changes"
- Next in thread: Karl Levinson [x y] mvp: "Re: Microsoft Security Bulletin Severity Rating System Changes"
- Reply: Karl Levinson [x y] mvp: "Re: Microsoft Security Bulletin Severity Rating System Changes"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
