Microsoft Security Bulletin Severity Rating System Changes
From: Jerry Bryant [MS] (jbryant@online.microsoft.com)
Date: 11/19/02
- Next message: Megan: "Windows 2000 Pro Allowing driver installation"
- Previous message: Nigel: "Re: Delete jdbgmgr.exe"
- Next in thread: Hank Arnold: "Re: Microsoft Security Bulletin Severity Rating System Changes"
- Reply: Hank Arnold: "Re: Microsoft Security Bulletin Severity Rating System Changes"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Jerry Bryant [MS]" <jbryant@online.microsoft.com> Date: Mon, 18 Nov 2002 16:09:54 -0800
The Microsoft Security Response Center is modifying the severity rating
scheme for Microsoft issued security bulletins. These changes will be
announced on Monday afternoon, November 18, 2002. Please review the
following changes.
Microsoft Security Response Center Security Bulletin Severity Rating System
(Revised, November 2002)
The mission of the Microsoft Security Response Center (MSRC) is to help our
customers operate their systems and networks securely. A major part of this
mission involves evaluating customers' reports of suspected vulnerabilities
in Microsoft products and, when necessary, ensuring that patches and
security bulletins that respond to bona fide reports are produced and
disseminated.
The MSRC issues a bulletin for any product vulnerability that could, in our
judgment, result in multiple customers' systems being impacted, no matter
how unlikely or limited the impact. However, this conservative approach to
identifying vulnerabilities that require action on our part may also have
made it more difficult for many customers to identify those vulnerabilities
that represent especially significant risks.
All too often, customers fail to install the security patches that would
protect their systems. In industry experience - graphically illustrated by
the Code Red and Nimda worm viruses - attacks that impact customers' systems
rarely result from attackers' exploitation of previously unknown
vulnerabilities. Rather, such attacks typically exploit vulnerabilities for
which patches have long been available, but never applied.
Not all vulnerabilities have equal impact on all users. This document
presents our security bulletin severity rating system. This system, which we
revised in November 2002 based on customer feedback, is intended to help our
customers decide which patches they should apply to avoid impact under their
particular circumstances, and how rapidly they need to take action.
Customers have encouraged us to include this information in our bulletins to
help them assess their risk.
The Severity Rating System:
The severity rating system provides a single rating for each vulnerability.
The definitions of the ratings are:
Critical:
A vulnerability whose exploitation could allow the propagation of an
Internet worm such as Code Red or Nimda without user action
Important:
A vulnerability whose exploitation could result in compromise of the
confidentiality, integrity, or availability of users' data, or of the
integrity or availability of processing resources.
Moderate:
Exploitability is mitigated to a significant degree by factors such as
default configuration, auditing, or difficulty of exploitation
Low:
A vulnerability whose exploitation is extremely difficult, or whose impact
is minimal.
We will, where appropriate, point out cases where the severity of a
vulnerability depends on system environment or use. The ratings will make
the conservative assumption that the vulnerability is known and that code or
scripts that exploit the vulnerability are widely available.
Using the System:
We will apply this severity rating system to each newly-issued security
bulletin from this point forward. With regard to patches that address
multiple vulnerabilities, we will label each according to the most serious
new vulnerability that it eliminates. In addition, the associated bulletin
will always provide ratings for each issue described.
We believe that customers who use an affected product should almost always
apply patches that address vulnerabilities rated "critical" or "important."
Patches rated "critical" should be applied in an especially timely manner.
Customers should read the security bulletin associated with any
vulnerability rated "moderate" or "low" to determine whether the
vulnerability is likely to affect their particular configuration. We
believe that patches rated "low" are less likely to affect most customers.
While this severity rating system is intended to provide a broadly objective
assessment of each issue, we strongly encourage customers to evaluate their
own environments and make decisions about which patches are required to
protect their systems.
This information will be available on Monday, Nov 18, 2002 at
http://www.microsoft.com/technet/security/policy/rating.asp
If you have any questions regarding the patch or its implementation after
reading the above listed bulletin you should contact Product Support
Services in the United States at 1-866-PCSafety (1-866-727-2338).
International customers should contact their local subsidiary.
-- Regards, Jerry Bryant - MCSE, MCDBA Microsoft IT Communities Get Secure! www.microsoft.com/security This posting is provided "AS IS" with no warranties, and confers no rights.
- Next message: Megan: "Windows 2000 Pro Allowing driver installation"
- Previous message: Nigel: "Re: Delete jdbgmgr.exe"
- Next in thread: Hank Arnold: "Re: Microsoft Security Bulletin Severity Rating System Changes"
- Reply: Hank Arnold: "Re: Microsoft Security Bulletin Severity Rating System Changes"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
