Microsoft
Security Response Center Security Bulletin Severity Rating System (Revised,
November 2002)
The
mission of the Microsoft Security Response Center (MSRC) is to help our
customers operate their systems and networks securely. A major part of this mission
involves evaluating customers' reports of suspected vulnerabilities in
Microsoft products and, when necessary, ensuring that patches and security
bulletins that respond to bona fide reports are produced and disseminated.
The
MSRC issues a bulletin for any product vulnerability that could, in our
judgment, result in multiple customers' systems being impacted, no matter how
unlikely or limited the impact. However, this conservative approach to
identifying vulnerabilities that require action on our part may also have made
it more difficult for many customers to identify those vulnerabilities that
represent especially significant risks.
In
industry experience, attacks that impact customers' systems rarely result from
attackers' exploitation of previously unknown vulnerabilities. Rather, as in
the case of the Code Red and Nimda worm viruses, attacks typically exploit
vulnerabilities for which patches have long been available, but not applied.
Not
all vulnerabilities have equal impact on all users. This document presents our
security bulletin severity rating system. This system, which we revised in
November 2002 based on customer feedback, is intended to help our customers
decide which patches they should apply to avoid impact under their particular
circumstances, and how rapidly they need to take action. Customers have
encouraged us to include this information in our bulletins to help them assess
their risk.
The
Severity Rating System
The
severity rating system provides a single rating for each vulnerability. The
definitions of the ratings are:
| Rating | Definition |
| Critical | A
vulnerability whose exploitation could allow the propagation of an Internet
worm without user action. |
| Important | A
vulnerability whose exploitation could result in compromise of the
confidentiality, integrity, or availability of users data, or of the
integrity or availability of processing resources. |
| Moderate | Exploitability
is mitigated to a significant degree by factors such as default
configuration, auditing, or difficulty of exploitation. |
| Low | A
vulnerability whose exploitation is extremely difficult, or whose impact is
minimal. |
We
will, where appropriate, point out cases where the severity of a vulnerability
depends on system environment or use. The ratings will make the conservative
assumption that the vulnerability is known and that code or scripts that
exploit the vulnerability are widely available.
Using
the System
We
will apply this severity rating system to each newly-issued security bulletin
from this point forward. With regard to patches that address multiple
vulnerabilities, we will label each according to the most serious new
vulnerability that it eliminates. In addition, the associated bulletin will
always provide ratings for each issue described.
We
believe that customers who use an affected product should almost always apply
patches that address vulnerabilities rated critical or important. Patches rated
critical should be applied in an especially timely manner. Customers should
read the security bulletin associated with any vulnerability rated moderate or
low to determine whether the vulnerability is likely to affect their particular
configuration. We believe that patches rated low are less likely to affect most
customers.
While
this severity rating system is intended to provide a broadly objective
assessment of each issue, we strongly encourage customers to evaluate their own
environments and make decisions about which patches are required to protect
their systems.