|
|
|
What Makes a Critical Vulnerability Critical?
By: Larry Seltzer
2008-10-14
Article Rating:  / 4
There are 0 user comments on this Network Security & Hardware story.
What Makes a Critical Vulnerability Critical? (
Page 1 of 3 ) The lack of standards or consistency in the industry makes prioritization difficult for IT. Microsoft's severity ratings are probably on target, but their definitions are obsolete.Today's Patch Tuesday bulletins announced 11 vulnerabilities: four critical, six important, and one moderate. What do these terms mean?
You see severity ratings most of the time you see a vulnerability
disclosure, but there are no hard standards for severity ratings. In
fact some vendorsmost infamously Appledon't provide any severity
ratings for their vulnerabilities. Not that Apple is a big issue for
many enterprises, but the absence of severity ratings makes it
difficult to prioritize patches.
Microsoft's definitions for their ratings
were last updated November 2002, so they're pretty comfortable with
them. Let's look at the definition of Critical: "A vulnerability whose
exploitation could allow the propagation of an Internet worm without
user action." That's pretty serious stuff. Sounds like Blaster and Code
Red. Did four of this month's vulnerabilities really have the potential
to result in Internet worms?
I'll go out on a limb and say no, but it depends on what you mean by
Internet worm. I think of a program which spreads itself around without
users taking any action, like Blaster or Slammer. Microsoft uses the
term Critical often when user interaction is required.
Microsoft releases Patch Tuesday fixes with new Exploitability Index. Click here
to read more.
Consider this month's critical update MS08-057 (Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution).
This describes three vulnerabilities in Excel that result from opening
a potentially malicious document. Only on Windows 2000 is it rated
critical, since that version does not, by default, include the
functionality of the Office Document Open Confirmation Tool for Office
2000, which forces confirmation for opening documents. This is not what
makes an "Internet worm."
In fact, Microsoft has been ignoring its own definition of critical
for years, as it should. There haven't been any real Internet worms for
Windows in years, and nobody else restricts their definition of
"critical" to such dire circumstances. Microsoft's Jeff Jones alludes
to these points in a blog on severity ratings systems from last year.
I think for most vendors critical means remote code execution, but
not to Microsoft, at least not officially. It's not hard to find
Microsoft remote code execution vulnerabilities rated Important, such
as MS08-049: Vulnerabilities in Event System Could Allow Remote Code Execution. I think the difference in MS08-049 is that the attacker has to be authenticated, which is a serious limitation in the attack.
|
|
�������x}r㶲s\@♵M"b{lcؖ�gRJEĘ"Hʶ~b:?qt�M�Z%qIlK���}C�I�9wur5g6%S��E]"Io�C(pR/��IzA)�v�@{iFu�;A���p��T7�d�>J�`OS;S
� Ɠ5>X1 |+[S}L��F�6�\�3��b
^�Qk$Ё_M�ܦ�%Cx�Gu)tC(D�HږyD6�EG�J��ߣ*C7�ݩx8/DeO�ɾy5E�hDԤ#|xB�g�xG�d�Y���
(ƻ�fՉziZgC2]�pj:TN`UFfn�=KQ��z���r�[�BL*-�D�ƞ4HC�h��;E�ý�е�}:|p���09Je�j-nfO-�n@w�0\'p}j� �b@rhưcIp��|2X�pi�G?j95O?�I܃N8C�Ynհ}=
:ԍ۱�|$�.j.s&,U-�0�wS�&�&>�dRrhXdQ}9e,�4a[mѡlطGZ.�h5E9*U+�xxo9{�ؖ3{P^p?�OΕirpѻ]�H� �C[wn�5-�ZI;\w{>~n��r ����o$&��@Dr V*4MD��&-āI^:�H5=(ǭ~7B-��%MюR;2,fϷ��3�+i�*�H,ǝq%?Zڗu&u}X6&�Zj�C�A/]?#;ˠjqsںy\7=rڽ&IŝN4p3
䏵V
p�6O{:$~|�54Y�01\�
\V+�HjG$Zݓ6է )H|S:VE~>_��C��J�ݖe�L_*X_��KŗG)LY4C��! ,mdʱ�(�r�N��f9A}E'ԃ�6kiBu�V�!`JC�̺�N�R�$9�V/��ȟ4�R\� 9jbs�vf�;M�?�fz�C�C�Z9nVĨ9U�SAeEI7CD� r23y�B(��PHQ��>L�y%Ku}7�p�@WMcrlNTW꒬2Wb{gH�\z�fuEzW^�?]{68^%glh|��X.B2iK1QW5MGZ9HLG_)C>�ѯ+� r%(NLf[ԑpl�òDŽIG�z=8����aO>lZ�ꎓz�>:AGA�ti�šh4άP7&��h`C:}ҍ;L �
'pGbd�x:� }C
�04��LH"AЂM�t�T�;n�]`�2��Zw�9ܻ-(;�hk
=�`Dy+wCP�b�(=��զA�{�Tgg,z���C��
�����k
6G~[>l0��3�Q�A\Q�@-�2)%%E29 E�EK�i�@$� $h�-4a��r.��ρl�bů(?H�X-吝rH�˛nO�q$cw�}s�MXأXB�^�X/E_R�2әJ2j2k|o�ƪń(VFNL�1|�0��Vj)epGҶ-o� �e h�B=WsF��'A|5
�i!s'Xe�n<�Ey�5cuɕU.F�iJ�~*�t�jz�#J�ݼ~h���;h{q#%Aw
�=�e河�xO:[[%7˺�I8�{Ҵ.�Z.퉟e�Y
mc-0^�Ԣ(/a|u(" !�l��siŴ,B
/0|:Cb&^&thQs&�u���a�C�+%UV��LLXVȣJV�(fMڹeK �l�@�r;4
po�p�27bbˡB2
OaN��}6|Az{fL�\?C� �8yRv�&n Ea e�.�G&fF�- ��o+_ ���%�?�:P]W=z,�K+i{yaؕ.R\�|zn� [QH�z{�=c�Tf le8l0��X|�?7:y��y
�'JY)jy�cl��q,�Y�6�Uȵm>�3�ɺ3'Q0JЫɅBsMq��N!WӐPU+@ �b^�4(Nu=(U�+.�>F�B?�%�hTcfJf�-`\.cJ�REm�xܭSRJ(3DZ�ޙ(@���y�G�2$t`n\��>(cpHl`_��\�<ׇ� BK
�LΧRER���-��-UN=)
]��g`u�XR]OqPe�УG�jq~ᇆ9ë#_0p�pb�+�'0E�<&�&{-KX�e�}t!/'ϐMqѡ,uo䚢#Ïn
OQ��
�g�#lhCx�R
'�`Q`:4gۢ-�7{I-~4d�� ӀY�̹
q<�\_Y��S��?�N=�1o5}�u��*ՃZIe߯YU�PY�Lj��B&:��dHCtݣk�;J%��J�~p㉱V{f,}PZ�_6cmśf^ab2U�{YoƱ)�
~g��ɲ�׆gy�Ϥͬh3|5���Nlwf�)~�9�k %jsU_5-P�{F�H_-L{efr��#BS>/�CW5�o�ɈB"+�>�aJ��֍3Pӳ)
�5Pkx��WJe�=McX�<�,�Ǥ�|U�4,t0�a 3[`z�}LEN@5# c��ف�=E(�SP^Cs�2<](h��`-�PV'i6r�
A�?\ۥqc�`��a} 2�"⊟BXMV\�uGcՏ'�8,*�z)#��ʌ�Qߐ@hrGX��] km{]T3)f(&l�?/c�q�)Հ�,�NuR�;GzX�z))5rdE3EU5�d9OM�#?�7Ր�kZ[G+^$G{eY�(Z7M~TUJJЛga�C.Fq��]FmEmP
3S`ɒ8wkps)�sp:'S 6PFz�*�%Pa�AV<^��ۍ�u3קA(6e�EZ�ǴX݂��ā�3o?f�/4N�Vŵ]2IdH�$U
~`MٸUvJӴj%I=�O����}1*�Q�-ˤӧG_��׆!�oy!3." WP)߱v�9�:)xT״}�m\�ݑN�\X cu
�($ڃZ#OY�\�'
�*�Z:p.g(
�,O$�e,t:�ǣ[mpD75�),9J`&gP5([hr1���=�qU�a��NT+*��y<8'v/>B�(5A AI2@"DJ?%s�?��Ѝ �F)X1&MsE])77V쐔4U{ڽK͋C
?ο�T�hq/R�,^~xtْ:�͏m~�cϻ;H��VBL0B�_�XH�!)$ze��MAy��x��9$gE_A>?u��T%ݝ:V8�8F�ʳ�ƍp'a�wʜW#�}`Z/� ?�Y
.�k ��v��g>&k��>dNƄ��@95ѧ�ǂ� ��ি�
C�A] ��ު��M�$7�L,`�*hu5fXe@�KoCӝꖃCL#.I߾&/3�
�#A�ɼ��}g��w;}�T�=e>d>IАYc=ty9!�-_^:ؓ�̆{J'c'Ǯ~'ۻ��}Zؖ[q*ApC<3�Ҁ�I1$�ZQVP�**s攤˞�v�X�Њ�&�b�`@Ɍ7#Gҁ;&-3(��m3F-߹_3{K=�wK}�U"FϺ�w�72]awmB%umJˢz9nwh�p;T�%%yȁIQ�)"y�6Kh#jv.b;+�&bidO1\jc+輳��2���
a[CV
lKG
s�cx�2�F�euw#�c�³��D`HI@R�}�g�6A� j(l8��ntp�U0p1-78\}5�߈:6"Y1!IfM1XPq��s2i��TWeT�c�S�K?_B�!MsѴg=.0(Q�/���K[��^]:lQMo
%n:A+��gsX#gqEV�i1vZ�%�ck��ܛI'*%qJM;W
2O!.ɼn�v�$= �7�q:6MQ��C?ֽp{q��(z8I�X*@
1Wzr>�Z3x�8xX`oѤwx�?w�ʞ@m65�%�HEQ�^d�_wꕃZM�62E 4�V#LhW� ��d�-(1|2�R�HA:qg)'�â�h��>#j5YH�1��r!a%N�t�AO#�A'Y�
A��IY5%Y�"�=�+缽|!(;9TURk��sHS{qk60z@�l(}��}U:��
rhC#��E|ɡc*a� > ��&2�^ڒ�Ҧ�Vzq
f@Oiʧ~/���V'Sx*fgZOa��Ah ;"8"���= ��*4Sڊ*I)8]V��lqR)=P�!u{9u;$��0�Ρ=�@HG~~[УQo1u"�4�L^M\�SP⑾��R}\�š��
I=�FmlQyKQ*mJ9S�q�<�8ę7@c=2
F/%=fR}Q�@I� Hu�ewa�ӒkQˡd6�wcO-K(yH̔6�rPbk[rAƮ15˟`5Y��8jzV�ވŽ____UR=_ϗwbW��%p�1t�f^IZVZٗ\2IE*B֝�w$��w�&?I"{I:�(A��S/�ߐ^
+R7F��L1.U@T��xa�S�!<'ʏIgAtɨD�X|y1'�2�
-ML�sx�qE?4/g\k�,||'�>q Cg!͕_��H��B�2Х�E�%G�u�c�~ek��=#�n/��.aYcG�7"_�y�ޞƳAlH"LՈOt�,,z3�ÞG3[u?Y`@(Cvtǵ4G��I��$���/��4ꆔZX6,|Q����H>pA�ƶ9�B-�vtL#�BMjK=[9��v`/?l��1c2g��cJvވ{=ś+/ZS&Tq_____xk}m{-e��8=I�Ƶ����2�FAφE ?$�Q��I��a�"`cX�}�*e
B^g_�CKTR} � N�$!5�G�"Bcol;zA4�#F
��H\�$��6f6��s%.�T'��
�� ,v]�? ��KDP�|4�H܂�0�uT۔UEBuͲm}=
a��"[�2�ߪA5V<|}Oa�C�hGuM
F@ϯ�aࣃ7��4<���N_a H�O��~<
ذ+W��/u`}>>)*EJ7
�Ib*ۚ-�+Gx;�7�{.rPf5~
sbftyl.(ALt�?4~�w6�z;�=`ۭ�2^S w/�d±+lx�٫_B5c9M\O?J%T+,_��]'5O�3i�"�^yyӫ�B[Π6k1)�Z_xm&$~�?h��a+M�%�6-1ŋj{_<@VE[6ө{G۽+eX
-}-&ô)E�ڃ��y{�Yj|ubM4tF87g�\)c2�Jf67sj`
�n%9 ��.�tKפ{�t:\�;2)P'\>kA*~i//m~ᙛcX([A�L@Ukb�2��[��-{8S�o�xz1{Dv1!::`��.Nuw>%wφxSq{QK#D�"<^V�){ZmO�L7
~Z+
R�Z�Ztȕ'w �2y(�^bC�x8�j
��g{W{[��$,ݎ#kvη;"?(F]{F9-0�oؾ;&/�z~w G2C"(lh�F]�hXXCe�rmb�h�}�cDr��vXzBYm�Ӷ�O]YL�a�!-(�-Ȯv�aIz[&{ψ$9�QmEMm&� 0kQ�)&lRK!'�q�/�+���ۏAE&Lj[�^���^R,oqn/
=J�8l*b6K�-'I-5}L1^[�9���ʥ`�Rky�K
l�c�1
{[��cUAN2�AGu
SoB�*GR!դi�^Hq5&@
�mN�hC��~�?�Vz^3ZkX;XifyJ�)~,y�-�JYՉJ\��mݹ]��qCjLxqE�8eev�R�c�zcqV*5:ݏ�d;�Z��Sep-d |
Y?�*ªF��i�f ZZGZI)JȋP^Csʷ0.ؕ՚Tھ
fOPVT99(ҋhR#�9[Dfq��|��/}^pY$֞PP.%(7c"~Ί9�}�|r����[�o?V-�F]ˎ�>=,�1ҵτ(ʔ.}d�
=� n5HX#%LNgNtL}NL톫$õ6�n�Ot�@EP]'I9~kuN�ў`H0,9)\�xfV-j5FdG0�,2; v!�4�3�K�[3@$=�jg~RۈuXboaddd㍨=+08ZU5��bx�Ӆ�Z�|ɌV:m�FA�&�_cL~wc
��}(W' n$�,�W�\C�P�|,Sw�Wp+TyjVW>2d�1�}�NM��L��St#�?�+){ꞪߓϞ\�q48�ڀ��kcE�%:�xdc�6ɝ2Md.4�'�k3`y rF@Yf3G��� P5�6D�:noퟐ�srپ靷u�=<��LswB"#,*nNwOd0A !!aS
ǡ'L�uE)
2,a�Ę.3�!�̆\nX\x��:�L$!�i"m�oz˞r0�=sC~b�C:�
�ZS��=ӂF$Є��GcOs?�3uǸۭ�sx�XҚ:ce� kE�$�06@!��II!5�Q�"`"1a9=c�1;(rx�цRǠ{=۹bl��Uo%P`�qT|8snj|J"�҃Pb1�YbR*
tQ:..�(�� o$�H)�ZPXP؟S��e�KHB}�s�^j8CXLi8q���Xg�-�.E�.[a8;
�ܕ�ӗr
VI!pRt=��:r�tT*ʞ
|{�C�@u��Z�S��2S¤vtb����H$`x=9Aimnta~X{��dO 0��
�Ka1c�~PoVr$2k
>�(%3�ʰ�LXU˩3�?�(
;�e"��=Mɕ@*�Z���Ȉq�/w�o�#�&a@}lF(Dwn�`9��ͫ/{M&OǽUӽ$
�¶V-J-�u�w[_NW_N;e8|�|i5'}ҽl��IJ/6ρ�sr_rʯz}I�(SޅnN9Rz}y�pj生@Si�~>B?'(Shu֗wZFS��3˜r'?
z9_s��]"g~.`�9��y��9�\碇W�}^�E�}"^3)?@?r/"�2g~/.s�2gnN 9�#_>r
y�:~z0^{0^@��?/�)>Cr�}�}
�
M�u$!(oY
�No�ps˅q�+ /ޯ�?�4�sYE�zvC�X^R*43
ௗ�ߗ�dnldҹ:
aq�ʍz�^S_xڞꖽpLڭf]�9n@KG{1*�,xW&���
)htVydS����˼=�>w�滴I��xո]@&J27[O')^�t�kz(s<2g!�h{�dZc+m�D�tb�9�|.y��|8SNt7$1 Q̥-c��LSS;N��=��{��n��7��F�n�@q�Lb�(sOkz>s��xvY^]Y��X�;Yo�%P.YC�IsDgev' A�Ѻ`�*+6�:�7q3[� #ňà��8П�}r�F�Fc�Vj?f�>taOC�vHy>j~llZ/O>�*8z:R��M7��,RKtCc,>xxChعO�vЍ 5zĪo�QF#��{4���́a[�CR'�o6*VZѷ;5"�)���#29T5YUdF.��j�堼_��,)g
�/(�@#غ̷7|�'C7":i�Rq�
�x+[&��.�<��tl5ڎY�IU|��y3�"�`TS); �~�I,�YDP&`!�؞.�^͆$� �w�� `1ƽǤ�m!�clɢ]k*b�"�1
l&$9tgj[L,!iށxxfM&=ȁv=�E�Y�%'�x-&(B:=�|#�N�.LEkzq;�68��,e�dYdC'E��C��k`Yer��c2O�5U&O|w��`�ȼ<"+G0H\hd�X?0"�C0t�o\F*0y."6��Ǽe�@�
N�-`Z}�v�wVFĤk,%`
c5c";2çB��0~>��m�:�o1I55~�ɱL(
V1�k�DF(l#B�!�z!fE�!1ugV@U}�C�1*��ϑ�978p5o2s&z�U Th<�SϫH�1E![{ -zGmô�z)LJ)@BoEYR%:�ozk[�2R�,���`+/^�;#�B+*π���2� {�/H�>;#S3Q)jkA/?tI3۱x쥽%�}Yq ��v.}�X#U:.~i�\*�$CbiG$]'
"#_S�a�oi�l/yHR��}J�0yN:m�v8�)�t�vwjky?-;waS)f��GVFp)hDN�cx '65T#�?_�vs[>/৲`���{z��w1G[�0rcz7Y=W
li12�#,�$$jVI�;;Q0��&iE-ȓl`C�v�_.~ph[?�2Y�A� wVǰ�YR!Ƨ?�'T�S*�4.>ϝn̯\2�xDx^N\oRM��x��T$,DzU\�Z
^chX$_֬�"�N�y�'E��=�!a5>g~C{%�9��:~0>~0?�rX)>ʲƘe>x\���L++�5�2lv*�
XJ!KŬ"&D0H�'��'�
�}�fnԌaBb�v��L$F�8=�3^�೨b�//bA,xr&r*�_x�WI"cXMb0�#:L+O���+R��Sq�9o/ݍS,{ٗN�/<|;�X��Yt�(y�'g*FRq�OR||<�(>w�oh-/=n%E�m9EKB^Y��B*K�wl:��T7 r�Fͳ��ś|G`bhPhyYWVMŽF�36HZ�\֓�eV^��z"f/F)SذM�*i2�9J{)
qU˕bm�TʩY+~XX96v6ЄMb7&�;i�1Բ�O,+��
|
Network Security & Hardware 
