REDMOND, WASHINGTON, Oct 16, 2001 (Newsbytes via COMTEX) -- In an effort to |
help customers better respond to security threats, Microsoft [NASDAQ:MSFT] said
it will begin adding severity ratings to its security bulletins.
Under the new severity rating system, vulnerabilities in Microsoft`s products
will henceforth be classified as either "critical," "moderate," or "low,"
according to a document released by the company`s Security Response Center.
In the past, Microsoft has issued security bulletins whenever a vulnerability
could affect several customers, "no matter how unlikely or limited the impact,"
the company said.
Last year Microsoft published 100 security bulletins, which warned of threats
ranging from the "Clip Art Buffer Overflow" to the "Web Server Folder Traversal
Because its bulletins were not prioritized, Microsoft acknowledged that "all too
often, customers fail to install the security patches that would protect their
According to the company, the new rating system was requested by customers and
will classify vulnerabilities based on "the impact that could potentially result
from exploitation of the vulnerability and the likelihood that the vulnerability could be exploited."
Microsoft will also distinguish security threats by three different system
environments: Internet-facing servers, internal servers, and client systems.
To merit a critical severity rating, a vulnerability in a Web server, for
instance, would need to allow Web site defacement, denial of service, or full
control. A low risk threat would have a limited impact, such as the disclosure
of scripts on the server, Microsoft said.
On client systems, such as office desktops or home PCs, bugs will be classified
as critical if, for example, they allow arbitrary code to be run without user
action. Limited or fragmentary data theft or modification on a client system is considered a low risk under Microsoft`s rating scheme.
The company acknowledged that "subjectivity and judgment" will play a part in
its assignment of vulnerability severity ratings.
Microsoft said the new severity rating system will go into effect with the
release of its next bulletin. In the future, customers will be able to search
for bulletins on the basis of severity and system environment.
Microsoft`s severity rating system follows a practice currently in use by many
anti-virus software vendors for categorizing the threat of new viruses. Many
computer software vendors, however, do not prioritize the severity of security
vulnerabilities identified in their products.
So far this year, Microsoft has issued 51 security bulletins, which is 20
bulletins behind last year`s pace. However, the months of October through
December were the heaviest of the year for security bulletins in year 2000.
More information on Microsoft`s security bulletin rating system is at http://www.microsoft.com/technet/se...ics/rating.asp.
Copyright 2001 The Washington Post Company