The lack of standards or consistency in the industry makes prioritization difficult for IT. Microsoft's severity ratings are probably on target, but their definitions are obsolete.
Today's Patch Tuesday bulletins announced 11 vulnerabilities: four critical
, six important
, and one moderate
. What do these terms mean?
You see severity ratings most of the time you see a vulnerability
disclosure, but there are no hard standards for severity ratings. In
fact some vendors-most infamously Apple-don't provide any severity
ratings for their vulnerabilities. Not that Apple is a big issue for
many enterprises, but the absence of severity ratings makes it
difficult to prioritize patches.
Microsoft's definitions for their ratings
were last updated November 2002, so they're pretty comfortable with
them. Let's look at the definition of Critical: "A vulnerability whose
exploitation could allow the propagation of an Internet worm without
user action." That's pretty serious stuff. Sounds like Blaster and Code
Red. Did four of this month's vulnerabilities really have the potential
to result in Internet worms?
I'll go out on a limb and say no, but it depends on what you mean by
Internet worm. I think of a program which spreads itself around without
users taking any action, like Blaster or Slammer. Microsoft uses the
term Critical often when user interaction is required.
Microsoft releases Patch Tuesday fixes with new Exploitability Index. Click here
to read more.
Consider this month's critical update MS08-057 (Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution)
This describes three vulnerabilities in Excel that result from opening
a potentially malicious document. Only on Windows 2000 is it rated
critical, since that version does not, by default, include the
functionality of the Office Document Open Confirmation Tool for Office
2000, which forces confirmation for opening documents. This is not what
makes an "Internet worm."
In fact, Microsoft has been ignoring its own definition of critical
for years, as it should. There haven't been any real Internet worms for
Windows in years, and nobody else restricts their definition of
"critical" to such dire circumstances. Microsoft's Jeff Jones alludes
to these points in a blog on severity ratings systems from last year
I think for most vendors critical means remote code execution, but
not to Microsoft, at least not officially. It's not hard to find
Microsoft remote code execution vulnerabilities rated Important, such
as MS08-049: Vulnerabilities in Event System Could Allow Remote Code Execution
. I think the difference in MS08-049 is that the attacker has to be authenticated, which is a serious limitation in the attack.