Microsoft Security Response Center Security Bulletin Severity Rating System (Revised, November 2002)
The mission of the Microsoft Security Response Center (MSRC) is to help our customers operate their systems and networks securely. A major part of this mission involves evaluating customers' reports of suspected vulnerabilities in Microsoft products and, when necessary, ensuring that patches and security bulletins that respond to bona fide reports are produced and disseminated.
The MSRC issues a bulletin for any product vulnerability that could, in our judgment, result in multiple customers' systems being impacted, no matter how unlikely or limited the impact. However, this conservative approach to identifying vulnerabilities that require action on our part may also have made it more difficult for many customers to identify those vulnerabilities that represent especially significant risks.
In industry experience, attacks that impact customers' systems rarely result from attackers' exploitation of previously unknown vulnerabilities. Rather, as in the case of the Code Red and Nimda worm viruses, attacks typically exploit vulnerabilities for which patches have long been available, but not applied.
Not all vulnerabilities have equal impact on all users. This document presents our security bulletin severity rating system. This system, which we revised in November 2002 based on customer feedback, is intended to help our customers decide which patches they should apply to avoid impact under their particular circumstances, and how rapidly they need to take action. Customers have encouraged us to include this information in our bulletins to help them assess their risk.
The Severity Rating System
The severity rating system provides a single rating for each vulnerability. The definitions of the ratings are:
A vulnerability whose exploitation could allow the propagation of an Internet worm without user action.
A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users data, or of the integrity or availability of processing resources.
Exploitability is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation.
A vulnerability whose exploitation is extremely difficult, or whose impact is minimal.
We will, where appropriate, point out cases where the severity of a vulnerability depends on system environment or use. The ratings will make the conservative assumption that the vulnerability is known and that code or scripts that exploit the vulnerability are widely available.
Using the System
We will apply this severity rating system to each newly-issued security bulletin from this point forward. With regard to patches that address multiple vulnerabilities, we will label each according to the most serious new vulnerability that it eliminates. In addition, the associated bulletin will always provide ratings for each issue described.
We believe that customers who use an affected product should almost always apply patches that address vulnerabilities rated critical or important. Patches rated critical should be applied in an especially timely manner. Customers should read the security bulletin associated with any vulnerability rated moderate or low to determine whether the vulnerability is likely to affect their particular configuration. We believe that patches rated low are less likely to affect most customers.
While this severity rating system is intended to provide a broadly objective assessment of each issue, we strongly encourage customers to evaluate their own environments and make decisions about which patches are required to protect their systems.