Microsoft announced that it has instituted a severity rating system that it will apply when it issues new security bulletins and related patches. The company said that it designed the new system to help customers decide which patches they should apply for their given network environments.
The new rating system is a matrix of three severity levels in conjunction with three system environments. The severity levels are Critical, Moderate, and Low, and the environments are Internet Servers, Internal Servers, and Client Systems.
"We will apply this severity rating system to each newly-issued security bulletin from this point forward," Microsoft said in a document it posted on its Web site. "Initially, we will include information about system environments and associated severity in the text of each bulletin. Over time, we plan to enhance our security bulletin search page to allow users to select bulletins by environment and severity. With regard to security rollup fixes, we will label each according to the most serious vulnerability it eliminates. In addition, the associated bulletin will always provide ratings for each issue described."
The new rating system stems in part from the fact that many users don't apply security patches because they aren't aware of the relative severity of specific issues. Microsoft said that it released about 100 security bulletins in 2000, and that in reviewing those bulletins, it would label only 5 as critical. It's the critical issues that malicious code developers generally exploit to attack large numbers of systems.
"One of our major concerns is that, all too often, customers fail to install the security patches that would protect their systems. In our experience--graphically illustrated by the recent Code Red and Nimda worm viruses--attacks that impact customers' systems rarely result from attackers' exploitation of previously unknown vulnerabilities. Rather, such attacks typically exploit vulnerabilities for which patches have long been available, but never applied."
Microsoft said it's also planning to integrate rating system into each of its automated tools that it uses for security purposes. On the Windows Update Web site, Microsoft will categorize critical vulnerabilities as critical updates, and categorize moderate and low vulnerabilities as recommended updates. In addition, Microsoft will modify the XML database file associated with HFNetChk and Microsoft Personal Security Advisor (MPSA) to help users determine which patches they need.
"In introducing the severity rating system, it's important for us to stress that we are providing our overall estimate of potential impact in the context of millions of customers worldwide; the severity ratings are based on our past experience and subjective judgment and may not be accurate predictors of impact for any individual customer," the company said. "In the end, every customer must be responsible for deciding whether or not to apply a particular patch, based on the particulars of their computing environment."
Your can learn more about the new severity rating system at the Microsoft TechNet Web site.