Critical now means "Critical and Important" [was Re: Microsoft Security Bulletin Severity Rating System Changes
From: Kent W. England [MVP] (kwe@mvps.org)
Date: 12/07/02
- Next message: S. Pidgorny [MVP]: "Re: Cookies"
- Previous message: Richard Sidler: "Re: Outlook security"
- In reply to: Jerry Bryant [MS]: "Re: Microsoft Security Bulletin Severity Rating System Changes"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Kent W. England [MVP]" <kwe@mvps.org> Date: Fri, 6 Dec 2002 15:49:06 -0800
Jerry;
I think it is important to note that the definition of critical has now
changed to mean "critical and important". From the redefinition:
Rating Definition
Critical A vulnerability whose exploitation could allow the
propagation of an Internet worm without user action
Important A vulnerability whose exploitation could result in
compromise of the confidentiality, integrity, or availability of users’
data, or of the integrity or availability of processing resources.
I would define "critical" as coming to mean "if you ignore this update,
you are negligent and subject to lawsuit" and "important" means "if you
ignore this update, your systems are known to be at risk". Customers
that are used to watching critical updates now need to watch critical
and important updates. They also need to understand that Microsoft is
acting on the knowledge that culpability and legal responsibility with
respect to the Internet are changing and that soon there will be
successful lawsuits over critical vulnerabilities left unpatched. Or, at
least, Microsoft will not earn an important Homeland Security Seal of
Approval if they don't close critical vulnerabilities.
Important updates are what customers are used to being concerned about.
That said, the new critical update definition is an important new
distinction.
(As an aside, I wonder if it is a critical update to an SMTP server to
make sure that it cannot propagate spam. I suppose if someone got spam
to be legally defined as harmful in the same way that trojans and
viruses are harmful, then I suspect that open relays are a critical
vulnerability and could form the basis of a lawsuit.)
-- Kent W. England, MS MVP for Windows XP (Please respond only in the newsgroup) "Jerry Bryant [MS]" <jbryant@online.microsoft.com> wrote in message news:Oun99t#jCHA.2772@tkmsftngp10... > > work I want to do inside this monster on my desk. Last week I began > looking for > > "ordinary" security measures for the "common man" so to speak, and > > have > not > > found what I need. > > Microsoft is trying to address these types of scenarios at > www.microsoft.com/security. > > For home users, there is a specific section: > http://www.microsoft.com/security/home/ > > You may be interested in the following as well: > > Follow 7 steps to help personal computing security > http://www.microsoft.com/security/articles/steps_default.asp > > 5-minute security advisor > http://www.microsoft.com/TechNet/Columns/Security/5Min/Default.asp > > -- > Regards, > > Jerry Bryant - MCSE, MCDBA > Microsoft IT Communities > > Get Secure! www.microsoft.com/security > > > This posting is provided "AS IS" with no warranties, and confers no > rights. > "D. Small Gilligan" <jgillig1@nycap.rr.com> wrote in message > news:OvXn9e#jCHA.1652@tkmsftngp09... > > This is most excellent news. I think the lack of information for > > end-users > > contributed a lot to the disasters (windows updates, trashing of > > programs, > etc) > > which hundreds of thousands have experienced in the last few months. > > Since > we > > were basically fed technical information, trying to use that > > information > surely > > must have broken a lot of things. I'm a long way from being a > > technician, > but > > I've had to learn a lot more than I wanted just to be able to do the > > kind > of > > work I want to do inside this monster on my desk. Last week I began > looking for > > "ordinary" security measures for the "common man" so to speak, and > > have > not > > found what I need. > > > > I was interested in a small article I picked up the other day which > > leads > me to > > believe that there will probably be another age coming up for > > computers > > regarding security. > > > > MS Takes Hard Line on Security > > Source: Wired News > > Date Written: November 14, 2002 > > Date Collected: November 15, 2002 > > > > Craig Mundie of Microsoft released a statement on Microsoft Inc.'s > Trustworthy > > Computing initiative. Mundie announced November 13, 2002 "that in > > response > to > > the threat of terrorist cyberattacks, Microsoft would deploy > > security > fixes to > > its installed base of hundreds of millions of computers worldwide in > > the > coming > > year -- even if those fixes break applications in use by customers." > > He > also > > said that, "We're going to tell people that even if it means we're > > going > to > > break some of your apps, we're going to make these things more > > secure. > You're > > just going to have to go back and fix it." Mundie went on to say > > that > increased > > spending on development and maintenance is necessary to increase > > security. > He > > also indicated that Microsoft's business model, the push to increase > revenue > > with sales of new software with new features, might have created a > situation in > > which less than secure code was produced. Mundie said that every > > Microsoft > > project has a security function portion. > > > > http://www.wired.com/news/technology/0,1282,56381,00.html > > Also - http://www.pcworld.com/news/article/0,aid,106928,00.asp > > > > > ............................................................................ > .... > > .............. > > "Hank Arnold" <rasilon@aol.com> wrote in message > > news:#pAiMY7jCHA.2672@tkmsftngp09... > > > I just got an e-mail with the following: > > > > > > ===================================== > > > Dear Microsoft Customer, > > > > > > I'm taking the unusual step of sending this mail to the Microsoft > Security > > > Notification Service mailing list to tell you about some changes > > > in > > > communications practices that the Microsoft Security Response > > > Center is > > > making. > > > > > > Customer feedback tells us that, while technical professionals > > > value our > > > security bulletins, many end-users find them overly detailed and > confusing. > > > In addition, end-users who subscribe to the Microsoft Security > Notification > > > Service receive bulletins that are of interest only to developers > > > or > system > > > administrators. > > > > > > To help customers, for each issue, we will now create a less > > > technical > > > end-user security bulletin that we will host at > > > http://www.microsoft.com/security/. We will continue to release > > > the > current > > > security bulletins targeted to technical professionals. The new > > > end-user > > > security bulletins will describe straightforward steps that > > > customers > can > > > take to help keep their systems secure. > > > > > > In addition, before year's end, we will create a new End User > > > Security > > > Notification Service that will notify customers of security issues > > > in > > > end-user-oriented products and provide a link to the appropriate > end-user > > > security bulletin.The TechNet security bulletins will continue to > include > > > technical details that enable IT professionals to determine where > > > and > > > whether a patch is needed or whether workarounds are an > > > appropriate > > > alternative. > > > > > > We have also received feedback that, while many customers rely on > > > our > > > Security Bulletin Severity Ratings to help them decide which > > > patches to > > > apply, they find that the ratings fail to clearly identify the > > > most > serious > > > issues. There is also a widespread feeling that the Severity > > > Ratings are > > > difficult to understand and apply. For these reasons, we have > > > modified > the > > > Severity Rating criteria to help customers more easily evaluate > > > the > impact > > > of security issues. We hope that this more prescriptive guidance > > > will > help > > > you distinguish the most urgent security issues. I encourage you > > > to > review > > > the updated Microsoft Security Response Center Security Bulletin > Severity > > > Rating System at > http://www.microsoft.com/technet/security/policy/rating.asp > > > > > > Microsoft is committed to help keep your systems safe. As part of > > > that > > > commitment, we regularly review customer feedback and update our > security > > > response process to ensure that we are doing all we can to meet > > > your > needs. > > > We appreciate your feedback and hope that you will find that these > changes > > > help you keep your systems secure. > > > > > > Thank you, > > > > > > Steve Lipner > > > > > > Director of Security Assurance > > > > > > Microsoft Corp. > > > > > > ===================================== > > > > > > -- > > > Regards, > > > Hank Arnold > > > "Jerry Bryant [MS]" <jbryant@online.microsoft.com> wrote in > > > message > > > news:e2qo9$1jCHA.1584@tkmsftngp11... > > > > The Microsoft Security Response Center is modifying the severity > rating > > > > scheme for Microsoft issued security bulletins. These changes > > > > will be > > > > announced on Monday afternoon, November 18, 2002. > > > > > > > > > > > >
- Next message: S. Pidgorny [MVP]: "Re: Cookies"
- Previous message: Richard Sidler: "Re: Outlook security"
- In reply to: Jerry Bryant [MS]: "Re: Microsoft Security Bulletin Severity Rating System Changes"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
